From what you’ve described, it sounds like you followed the steps for a New App in the support page you linked. If so, you have to use the keystore and alias you used to signed your apk the first time, for all updates.
Background: If you opt in to let google handle the app signing for you, you just need to sign with the one key (the upload key) and google will manage your app-signing key.
If you didn’t make a keystore, you may have uploaded an unsigned app (which I don’t think you can publish).
If you’re managing your own keys however, the steps are different, and I can help with that too - just let me know.
I’m having the same problem. I don’t know how to sign an APK with the Upload certificate.
Google Play Dev. console gives you a certificate which you can download: upload_cert.der (as well as deployment_cert.der).
How can they be used? It’s nothing like a keystore.
If you sign with a newly created keystore, it rejects it saying that it need to be signed with Upload certificate.
Now I’m stuck as a result of opting for App Signing by mistake. The first time you upload an APK, if you don’t pay attention you may not realise that you are redirected to the App Signing section, if you don’t click opt-out at this point then you’re done!
I think there’s quite a bit of misunderstanding around this. This is how I eventually got it to work:
You don’t sign your app with the certificate downloaded from Google.
You also don’t import it into the keystore created by Unity. If you do so, Unity won’t see it because what you imported is only the public key, and you need the private key to sign the app. The private key is held by Google - you don’t have it.
So what you do is you create the keystore and key in Unity and sign your app with it - just like before.
In Google Play Console → App releases, you can see this:
"Let Google manage and protect your app signing key (recommended)
Upload key: The key you use to sign your first release. Sign every subsequent release with the same key to verify it’s from you. Keep your upload key safe. If it’s ever lost or compromised, contact developer support to replace it."
On the App Signing page there’s this:
"How it works
You digitally sign each release using your upload key before publishing it to a track in the Play Console.
Google Play uses the upload certificate to verify your identity and then re-signs your release using the app signing key for distribution.
Each Android device checks the release’s app signing certificate matches the certificate of the installed app before updating it."
So what Google does is once you upload your app, they sign the app once again - this time with their private key. And the public key for that signature is what you downloaded from Google Play.
Users will now see that your app is signed not with your Unity upload key, but will Google’s. So if you want to register your app’s MD5 signature somewhere (like API providers), you need to use the certificate downloaded from Google - that’s the only reason you need it - you don’t sign with it.
The idea is that your upload key is only used to let Google know it’s you, and not distribute the app. And if you lose it you can ask Google to change it.
But if that key was used to actually distribute the app and you lose it - it’s game over. That’s why the distribution is done using Google’s key which hopefully is kept much safer