Why and how Expo changed my cert signing keys?

generate sdk with expo build:android then upload it to google play console was working fine so far,

but for some reason play store denied my generated sdk with message like ‘You uploaded an APK that is not signed with the upload certificate’

I noticed my expo cert hash information changed and not match with google console anymore,

via expo credentials:manager I’ve updated keystore with the same information as store again,

but this time build process encounter with error " ```
Failed to read key <key> from store “/tmp/turtle/keystore-…jks”: Cannot recover key"

this is really weird and annoying… I dont understand why cert information needs to change it besides without owners notice…

this would happen if you ran expo build:android -c (short for clear-credentials) and then proceeded past the warning

another possibility is that you built the app under a different expo user account or using a different project slug

@notbrent Okay, How can I make expo generate sdk with current credentials again ? Is there any way to update credentials in expo server?

if you ran expo build:android -c or expo build:android --clear-credentials then unfortunately you can’t unless you stashed the credentials that were provided to you when doing that as a backup. the warning prompt when you run the command is exceedingly clear about this!

if you switched the slug, then just switch back and rebuild.

where did you get the keystore from that you are attempting to upload with credentials manager? as far as i know you should be able to add this through credentials manager, cc @quinlanj

via expo credentials:manager I’ve updated keystore with the same information as store again,
but this time build process encounter with error " ```
Failed to read key < key > from store “/tmp/turtle/keystore-…jks”: Cannot recover key"

Most likely you uploaded some incorrect file or specified wrong values for passwords, there is no way to download Keystore from google play or anywhere else, you can only recover it if you backed it on your own before.

As @notbrent mentioned above, if you changed slug, logged as a different user or changed owner field, you can recover by switching back to original values and keystore should be there

If you non of that applies to you, you need to ask play store support to reset your keystore

  • make sure you have latest expo-cli
  • run expo build:android -c and select generate new keystore
  • wait for the build to end
  • run expo fetch:android:upload-cert
    The last command will generate .pem file (it’s public key extracted from the new keystore) that you need to include with a message to support
1 Like

@notbrent I understood If I would change slug that happens but I didnt…
Also not sure If I really did, but I have to assume “expo build:android --clear-credentials” cause this… Is there anyway to check commands run by user like history or logs?

@wkozyra I got your point, and yes I have backup of keystore file (myapp.jks) how can I recover it with it?
Is this file enough to publish play store again without changing anything on there? If yes please give eloborate solution, if not I will go for play store to reset my keystore


Btw I only changed expo sdk version in app.json, which its gone since its not needed in sdk v 38

If you have correct keystore, kesytore password, alias and password for that alias , specifying it via credentials manager or in build command should work. You can verify with keytool you have locally is valid
keytool -list -v -keystore keystorepath.jks and check if alias exists and cert fingerprints are correct


@wkozyra I did exactly what you told me to do… and thats worked!!! Thanks Mr./Mrs. you made a developer happy today :slight_smile:

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.