New App signing key is not used for siging. Signed apk still show older SHA256

Asked Apr 18 '23 at 07:16

Active Apr 18 '23 at 07:22

Viewed 37 times

I have requested for New signing key in Google play store. After enabling App integrity I can see new key generated and see SHA256 for the same.

Then uploaded a new bundle using upload key. Used "targetSdkVersion", "minSdkVersion" and "compileSdkVersion" as 33. It successfully uploaded.

Then downloaded the "Distribution APK" from App bundle explorer.

Run "keytool -printcert -jarfile 80-1.apk" command. I can still see older key Certificate fingerprints used. Not new one. Algorithm is also old one Signature algorithm name: SHA1withRSA Subject Public Key Algorithm: 1024-bit RSA key

Can some one help me here. I got a security ticket saying APK is signed with SHA1. I want to use strong signing key.

edited Apr 18 '23 at 07:22

asked Apr 18 '23 at 07:16

Durgaprasad

1,910
2
25
44

The upload key is only used for uploading, not for APK signing. Changing the APK signing key without changing the app package name (signature key rolling) is pretty complicated on Android and only works for recent Android versions. BTW: keytool is the wrong (outdated) tool for checking an APK signature. Use `apksigner` instead: https://stackoverflow.com/a/72189238/150978 – Robert May 22 '23 at 08:34

New App signing key is not used for siging. Signed apk still show older SHA256

0 Answers0