How I can sign my apk with an google play's upload certificate in unity?

I’m trying to publish a update of my application on google playstore.

because I activate the Google Play App Signing service for this app, I have to sign it with an upload certificate provided by the store in order to publish it.

I tried many ways to do that in unity without success

anybody knows how to do that?

Create keystore file “keystorefile” with unity. Then import “upload_cert.der” downloaded from google play console to keystore.

keytool.exe -importcert -file upload_cert.der -keystore <keystorefile>

Read more.

Hey!
From what you’ve described, it sounds like you followed the steps for a New App in the support page you linked. If so, you have to use the keystore and alias you used to signed your apk the first time, for all updates.

Background: If you opt in to let google handle the app signing for you, you just need to sign with the one key (the upload key) and google will manage your app-signing key.

If you didn’t make a keystore, you may have uploaded an unsigned app (which I don’t think you can publish).

If you’re managing your own keys however, the steps are different, and I can help with that too - just let me know.

I’m having the same problem. I don’t know how to sign an APK with the Upload certificate.
Google Play Dev. console gives you a certificate which you can download: upload_cert.der (as well as deployment_cert.der).
How can they be used? It’s nothing like a keystore.

If you sign with a newly created keystore, it rejects it saying that it need to be signed with Upload certificate.

Now I’m stuck as a result of opting for App Signing by mistake. The first time you upload an APK, if you don’t pay attention you may not realise that you are redirected to the App Signing section, if you don’t click opt-out at this point then you’re done!

Please help. Thank you.

Hi. I just had this trouble myself and being really new to all this had to take some time work out the problem in more detail. winxalex answered the question, but if you need a step by step:

  1. You need to download your certificate from your google play console.

  2. You need to import your certification into the keystore you used the first time you exported from Unty. You probably saved that somewhere important.

  3. You need to use a program called keytool.exe. The path to that program probably looks something like: C:\Program Files\Java\jdk1.8.0_192\bin

  4. If you go there in windows explorer and type “cmd” into the address bar, it’ll open that location in the terminal.

  5. You then need to use winxalex’ code above in the terminal (after having navigated to the location of keystore.exe, as you did in step 3

  6. You need to point that code to your certificate and to the keystore you’re importing the ceritificate into. your final instruction will look something like the following:

  7. keytool.exe -importcert -file “C:\Users\MyAccountName\DesktopOrWherever\deployment_cert.der” -keystore C:\Users\MyAccountName\DesktopOrWherever\user.keystore

  8. keystore.exe will ask you for the password you used and whether you trust the app, then update the keystore

  9. Make sure Unity is using that keystore when you export your app

Those are the steps that worked for me. I hope this helps others.

Did anybody find a solution to this? I can’t update my app. Can unity generate the APK using the upload cert?

I think there’s quite a bit of misunderstanding around this. This is how I eventually got it to work:

You don’t sign your app with the certificate downloaded from Google.
You also don’t import it into the keystore created by Unity. If you do so, Unity won’t see it because what you imported is only the public key, and you need the private key to sign the app. The private key is held by Google - you don’t have it.

So what you do is you create the keystore and key in Unity and sign your app with it - just like before.

In Google Play Console → App releases, you can see this:
"Let Google manage and protect your app signing key (recommended)
Enabled.

Upload key: The key you use to sign your first release. Sign every subsequent release with the same key to verify it’s from you. Keep your upload key safe. If it’s ever lost or compromised, contact developer support to replace it."

On the App Signing page there’s this:
"How it works

  1. You digitally sign each release using your upload key before publishing it to a track in the Play Console.
  2. Google Play uses the upload certificate to verify your identity and then re-signs your release using the app signing key for distribution.
  3. Each Android device checks the release’s app signing certificate matches the certificate of the installed app before updating it."

So what Google does is once you upload your app, they sign the app once again - this time with their private key. And the public key for that signature is what you downloaded from Google Play.

Users will now see that your app is signed not with your Unity upload key, but will Google’s. So if you want to register your app’s MD5 signature somewhere (like API providers), you need to use the certificate downloaded from Google - that’s the only reason you need it - you don’t sign with it.

Some more info about this:
https://stackoverflow.com/a/52923860/931409

The idea is that your upload key is only used to let Google know it’s you, and not distribute the app. And if you lose it you can ask Google to change it.
But if that key was used to actually distribute the app and you lose it - it’s game over. That’s why the distribution is done using Google’s key which hopefully is kept much safer :slight_smile:

If, like me, you came here because you are having issues with long iteration time while testing Google Play Games Services code …

My issue involved:

  • Google Play Console controls my app signing key
  • Unity’s keystore is applied to my Unity builds
  • Therefore I can’t test Google Play Games Services code without fully uploading and publishing my builds through the Google Play Console

This thread is how I finally got that fixed.