5

For now three of my apps on Google Play I had a signing error like this when trying to upload a new version in the last few days:

Upload failed You uploaded an APK that is signed with a different certificate to your previous APKs. You must use the same certificate. Your existing APKs are signed with the certificate(s) with fingerprint(s):

[ SHA1: 87:17:A3:71:CD:CF:D6:73:71:56:B1:59:DE:89:6D:5A:E0:EE:31:8A,SHA1: 4C:45:1E:30:2D:04:F4:DC:36:0E:EF:29:1B:1E:E1:02:C0:E8:E9:85 ]

and the certificate(s) used to sign the APK you uploaded have fingerprint(s):

[ SHA1: 87:17:A3:71:CD:CF:D6:73:71:56:B1:59:DE:89:6D:5A:E0:EE:31:8A ]

I double-checked the keystore and it is the one I always used. In fact some of the apps have a pro version that use the same keystore and there the update worked fine. What is striking IMO is the strange fingerprint of the old, existing APK, which in the above case has a second entry with "SHA1:" in it and for one of the other apps that failed the old fingerprint was listed as "[ ]", i.e. an empty one. In the meantime I also updated other apps and in most cases things worked fine. The only thing (I noticed), which the three apps where I have problems with have in common, is that these apps are quite old, with the first APK version dating from 2009 or even 2008. But the pro versions - where things work fine - were introduced later.

There is a similar question Upload failed for newer version apk on google play, but the browser cache solution does not work and I am also quite confident that I used the right key.

Anyone have an idea what might be the solution here? I am starting to think that perhaps for some older apps the fingerprints were incorrectly extracted from the APKs on Google's side (hence the one empty and the other IMO a bit strange fingerprints for old versions). But typically problems originate from between one's own ears...

Thanks

Community
  • 1
  • 1
Ecthelion
  • 81
  • 1
  • 5

2 Answers2

0

It's possible to sign an APK with more than one key. This was never really a well-supported behavior, and the order the keys will be processed is undefined. But if your early APK was signed with two keys, as the message suggests, then your update will need to be signed with all the same keys (possibly in the same order).

It looks like the first key is the same as the one you used, so you need to find the keystore for the second key. Maybe some part of your build process was re-signing the APK before uploading. A likely suspect might be your debug keystore in ~/.android .

Adam Bliss
  • 625
  • 4
  • 9
  • Thanks, but what about the other fingerprint listed as "[ ]"? Signing without a key was certainly never possible. – Ecthelion Jul 24 '13 at 20:23
0

I'm also experiencing this exact same issue. Nothing has changed, I'm still using the same keystore, and updated the app two weeks ago with no problems. Now it's saying that the signed app update has only one SHA1-hash fingerprint certificate, and the existing app in the store has two different SHA1-hash fingerprints, (and one of those is the same as the app update's). So it looks like it used to be signed with two certificates, but now only one. But nothing has changed in the export and signing process - it's done via eclipse export signed application as it always has been.

Perhaps it used to always sign with two, and one of them has been moved or deleted. That's my only theory at this point. Or perhaps something's expired in the Play developer console upload / signing check code in Google land.

Another detail our app shares with OP's app is that it was also first published in 2009.

Tom Jacobs
  • 1
  • 1
  • 1
    Very interesting. And indeed exactly like in my case. Personally I think this supports the theory that it's a special problem for old apps. – Ecthelion Jul 24 '13 at 20:25
  • According to this you can check the cert fingerprints of APKs this way...http://stackoverflow.com/questions/11331469/how-to-find-out-which-key-was-used-to-sign-an-app which suggests that they should be SHA-1 - I notice that my fingerprints are MD5withRSA when I do that - perhaps it's an issue when the keystore has certificates with MD5withRSA. Can you check your APKs this way to see if that's the difference between the ones that do work and the ones that don't? Perhaps Google (accidentally) dropped support for older MD5 certs this month. – Tom Jacobs Jul 25 '13 at 04:33
  • 1
    They've fixed it now, it was Google's issue. – Tom Jacobs Jul 26 '13 at 05:25
  • Ah, then I will try again – Ecthelion Jul 26 '13 at 19:11