How to upload app-signing certificates to Expo servers?

I have a published and working APK that was built and signed by Expo.
I wanted to build an app-bundle instead of APK so I followed the docs and ran: expo opt-in-google-play-signing.

It asks to compare the hashes printed in the terminal to those in Google Play Console.
For me they are different for some reason. I choose no and the utility says there is nothing to do and exits.

My question is how I can upload the new certificates to Expo servers? And which files exactly are being uploaded? There are too much files/keys/certificates and I am already lost.

expo diagnostics:
Expo CLI 3.0.10 environment info:
System:
OS: Linux 5.0 Ubuntu 18.04.2 LTS (Bionic Beaver)
Shell: 4.4.19 - /bin/bash
Binaries:
Node: 10.16.3 - /usr/local/bin/node
Yarn: 1.17.3 - ~/.yarn/bin/yarn
npm: 6.11.3 - /usr/local/bin/npm
npmPackages:
expo: ^34.0.1 => 34.0.4
react: 16.8.3 => 16.8.3
react-native: https://github.com/expo/react-native/archive/sdk-34.0.0.tar.gz => 0.59.8

If you enabled google play app signing correctly and then answered no, expo-cli removed temporary files including your upload keystore that was supposed to replace you old signing keystore.

At this point, the only way is to contact google support and ask them to reset your password.
You will need to provide them with new upload certificate, run expo build-android -c to generate new keystore and run expo fetch:android:upload-cert to download and extract public cert from new keystore.

2 Likes

I already did this. I contacted Google, I sent the certificate to them and they are already updated it.
2 things:

  1. The “app signing certificate” is also different for me. What should I do about this fact? I need to update it as well? If yes - how?
  2. I still did not understand how exactly I am updating Expo servers with the new certificate. I don’t want to do something wrong. Otherwise, I won’t be able to update the app in the old way also.
  1. your old keystore should match " App signing certificate", your new one should match “Upload certificate”
  2. if you run build -c it generated new keystore and extracted public cert from that if not the cert you sent them was from your original keystore and in this case upload cert and app signing cert hashes should match each other. Using the same keystore for both is a bit less secure, but it will work either way.

This is how I created the certificate:
keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks

keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks

Then I sent the upload_certificate.pem to Google and they updated it.

Can I use it now? Or I had to create the cert in another way?
If I can use this file to update Expo servers - I am not sure I understood how to do it.

Ok so you generated new keystore and then extracte public cert from that?

In this case you need only to upload this keystore to expo server. To do that run expo build -c select option to provide your own credentials and pass path to keystore and all credentials.

Ok, another question. I have a keystore password. But what is the “Key Password”?
I did not provided it when I created the cert.
Running this: keytool -v -list -keystore keystore.jks does not give it to me, it only returns the hash.

Would you like to upload a keystore or have us generate one for you?
If you don’t know what this means, let us handle it! :slight_smile:
true
? Path to keystore: /keystore.jks
? Keystore Alias: upload
? Keystore Password: [hidden]
? Key Password: [hidden]

Most likely you generated keystore in pkcs format, android builds supports only jks. You can verify this by checking what type is keytool -list command shows.

You can convert pkcs keystore to jks with

keytool -importkeystore -srckeystore existing_keystore.p12 -srcstoretype PKCS12 -srcalias ___ -destkeystore new.jks -deststoretype JKS -deststorepass ___ -destkeypass ___ -srcstorepass ___ -destalias ___

where existing_keystore.p12 is your keystore and new.jks is file you will need to upload

I have created a JKS file. As I already mentioned this is how I created it:
keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks
keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks

It asked for password, I gave it a password and the cert was created. But what is the “Key Password”? Expo asks for it but I have no idea what’s that.

In jks store you have global password for keystore and separate for every alias/key, key password is exactly that.
Your genkeypair command was missing -storetype jks

Your keystore is named jks, but 'it’s in fact p12

While waiting for your answer I ran this command: expo build:android -t app-bundle -c
Both for “keystore password” and “key password” I gave the the same “keystore password”.

And I was able to successfully upload the .aab file to Google Play Console - it said “upload success”.

After all those manipulations that I did, I want to make sure I won’t face other certificates related errors in the future. So, my question is if I was able to successfully upload the .aab file to Google Play - everything now is ok?

1 Like

I’m assuming that you are talking about keystore you generated originally and that you didn’t follow my instructions from previous posts.
In that case verify what format is your keystore with keytool -list -keystore keystore.jks

  • If it’s jks it’s possible that by default it sets both passwords to the same value and so in this case you should be fine.
  • If it’s pkcs as i assumed at the beginning it’s a bit suprising that it works, I guess that it’s possible for it works for app bundle, but fail for apk(it would fail during build). In case of problems in the future you can convert pkcs file to jks.

Yes, it is PKCS12 but it works (for app-bundle at least).

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.