Home/ Questions/Q 8791449
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T22:50:40+00:00

Possible Duplicate: Lost my keystore for uploaded app on android market I’m pushing a

  • 0

Possible Duplicate:
Lost my keystore for uploaded app on android market

I’m pushing a new version of an Android app to the Google Play Store and I want it to trigger an update for the current users of the app and not treat it as a new version. I don’t have the private key that was originally used to sign the existing app, so I’m trying the following to recover it.

I’m able to get to step 3, but I’m unsure what the .keystore file name is for the keytool -list -keystore my-signing-key.keystore command, any ideas?

  1. First, unzip the APK and extract the file /META-INF/ANDROID_.RSA
    (this file may also be CERT.RSA, but there should only be one .RSA
    file).

  2. Then issue this command:

    keytool -printcert -file ANDROID_.RSA You will get certificate
    fingerprints like this:

    MD5: B3:4F:BE:07:AA:78:24:DC:CA:92:36:FF:AE:8C:17:DB
    SHA1: 16:59:E7:E3:0C:AA:7A:0D:F2:0D:05:20:12:A8:85:0B:32:C5:4F:68
    Signature algorithm name: SHA1withRSA

  3. Then use the keytool again to print out all the aliases of your
    signing keystore:

    keytool -list -keystore my-signing-key.keystore

You will get a list of aliases and their certificate fingerprint:

android_key, Jan 23, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): B3:4F:BE:07:AA:78:24:DC:CA:92:36:FF:AE:8C:17:DB

Voila! we can now determined the apk has been signed with this keystore, and with the alias ‘android_key’.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Unless you have the original keystore file that holds the private key, you can’t extract it from the .apk. The .apk contains only the public key and the signature generated using the private key, but it does not actually contain the private key itself.

    Consider this – if the .apk contained the actual private key, and the instructions for extracting it were so easy, anyone would be able to get Google, Facebook, Microsoft, or Amazon private key from their apps and sign any malware with it. (Apple is immune to such an attack, as they do not ship any Android software :-P)

    So, unless you have access to the original keystore file (and you know the passphrase – thanks @323go) that was used to sign the previous .apk, I fear you’re out of luck.

    • 0