18

Got a certificate to sign the android unsigned release apk files, So I imported the cer using command:

keytool -import -alias alias_name -file cer_name.cer -storepass changeit  -keystore my_keystore.keystore

But when signing the app with android studio it produces error:

Error:Execution failed for task ':packageDebug'.
> com.android.ide.common.signing.KeytoolException: Failed to read key alias_name from store "C:\Users\username\my_keystore.keystore": trusted certificate entries are not password-protected

My deductions said that because the keys are not password protected so i tried again and set the password for keys using:

keytool -import -alias alias_name -file cer_name.cer -storepass changeit -keypass changeit -keystore my_keystore.keystore

But still the error persist.

I also tried with manual procedure with jarsigner:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my_keystore.keystore unsigned-release.apk alias_name

Got error:

jarsigner: Certificate chain not found for: alias_name.  alias_name must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

Please help I am unable to get relevant post on this error for Android apk signings

Sanjay Singh
  • 231
  • 1
  • 3
  • 11
  • 2
    I am stuck on this as well. I'm a little frustrated that none of the people on the internet with the same problem have stated their solutions, so I'm starting a bounty. – Bassinator Jun 11 '18 at 18:33
  • I'm having the same issue. I opened a request at Google to reset my key, but they just changed the upload key on their side and I still don't have the private key to sign the apk. It is a shame how this process is badly documented... – Fabricio Aug 09 '18 at 12:54

4 Answers4

17

*.cer files usually only contain certificates, not the private key needed to sign an APK.

List the content of the keystore :

keytool -list -v -keystore my_keystore.keystore

And look for the Entry type: line (for the corresponding alias). The value must be PrivateKeyEntry, not trustedCertEntry

bwt
  • 17,292
  • 1
  • 42
  • 60
  • 10
    Okay - this explains the problem, but not the solution. – Bassinator Jun 18 '18 at 18:41
  • 2
    You need a file containing the private key, for example a pkcs12 (usually *.p12) which you can import in the keystore – bwt Jun 18 '18 at 20:36
  • 1
    By the way the key is usually not imported but generated from scratch because Android does not care about a *real* certificate (with a valid certificate chain), it only use the private key – bwt Jun 18 '18 at 21:24
  • 2
    I converted google **der** into **jks** but because of `trustedCertEntry` its throwing error **Cause: trusted certificate entries are not password-protected** – Bhavin Patel Feb 27 '21 at 12:41
10

I highly recommend getting Keystore Explorer. This program saved my life more than once when I was having some keystore and cert issues. It's free and open source, and an easy to navigate GUI. It can make new keypairs and import existing key pairs into your keystore. I started using it about 3 years ago and it is still in my folder for dev tools.

Timothy Winters
  • 5,481
  • 1
  • 15
  • 18
0

The solution is: instead of using Google's default signature, use our own signature. Google's default signature does not disclose the private key, so it cannot be used to sign the apk.

Arison
  • 15
  • 7
-3

If you are using android studio there is a very simple solution to sign apk follow the below steps Go to Android Menu -> Find Build -> Generate Signed APK... after that new window appeared -> click on Create new... button. Next enter details as like shown below and click OK -> Next. enter image description here -> Choose key store path that you want to store your .jks file for future use -> set your desired password that you want -> set Alias Name -> password -> Fill certificate details -> click next

next window will appear as below screen shot enter image description here

Choose directory that you want to signed .apk will store ( otherwise it will generate inside app folder -> release ) -> choose signature version -> click finish

Wait until APK generated successfully

Arun-Khanka
  • 153
  • 3
  • 10