2

I am currently working in a pharmaceutical company which also publishes apps. Until now the only scope was iOS and now they want to create Android apps.

From the developers we receive an unsigned .aab file because we have an internal validation process. After that process we need to resign the app to deploy it in the Google Play Console.

But as i upload the .aab i get: "You uploaded an APK with an invalid signature (learn more about signing). Error from apksigner:" with no further information

As Mentioned we get a clean .aab file, no more no less and need to deploy it.

I have created a new app in the console, enabled app signing, downloaded the pepk.jar file, run the code attached to the pepk, uploaded the output file and downloaded the upload_cert.der file.

Now i already tried to import the .der file in my .keystore file and resigned the .aab --> no success
$ keytool -importcert -file upload_cert.der -keystore appname.keystore

i tried to create a .jks keystore and import the .der --> no success

--

example code of keystore creation: $ keytool -genkey -v -keystore appname.keystore -alias alias -keyalg RSA -keysize 2048 -validity 10000

example code of the signing: $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore appname.keystore appname_unsigned.aab "alias"

example code of zipalign: $ zipalign -v 4 appname_signed.aab cimzia_aligned.aab

What is going wrong? Any idea?

Heath Borders
  • 30,998
  • 16
  • 147
  • 256
Niels Jacquet
  • 21
  • 1
  • 3

1 Answers1

0

Welcome Niels.

You need to understand better the concepts behind signing, in particular the .der file does not contain your private key so you will be unable to sign your AAB with it.

I have provided for that purpose an extensive description of the various concepts in this answer: Use provided upload_cert.der to sign a release Android APK file

Have a read and hopefully it will help.

The tldr is that you should use your private upload key, which only you have (Google does not have this key -- unless you've explicitly chosen to use the same as your signing key), not the .der file that Google lets you download since it only contains the public part of the upload key.

Depending how you enrolled in Play Signing, the private key could be the original keystore you used to sign your APKs with, or some other key you generated when you enrolled (when prompted to use a different upload key). The official documentation should explain all the process in details.

Pierre
  • 15,865
  • 4
  • 36
  • 50