Signing for Android: how can I generate the PEM certificate associated to the keystore?

mbruel

Hi,

I've published an app on Google Play and I need to submit a new version to prevent a critical crash...
Unfortunately I don't remember the password of my keystore :'(
I've contacted Google support to ask if it was possible to reset it and the procedure they gave me uses their tools (it sounds normal...):

First generate a key using: keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks
then export the certificate to provide them using: keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks

Is it possible to export a pem certificate from a keystore file generated by QtCreator?
If not, is it possible to use their .jks file?

I don't remember how I did it in the first time to publish my app...
Thanks in advance if you can help me :)

mbruel

so as I couldn't find any information on the process, I gave a try to the Google keytool command on the keystore generated by QtCreator and it managed to export the pem certificate.

First list the keystore:

$ /opt/android-studio/jre/bin/keytool -list -keystore /somePath/qtCreatorGenerated.keystore
Enter keystore password:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

myAlias, 20-May-2021, PrivateKeyEntry, 
Certificate fingerprint (SHA1): A7:.........:E5

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /somePath/qtCreatorGenerated.keystore -destkeystore /somePath/qtCreatorGenerated.keystore -deststoretype pkcs12".

So there is a warning but still it is listing it and we get the alias used myAlias (before the PrivateKeyEntry)

Then we can just do:
/opt/android-studio/jre/bin/keytool -export -rfc -alias myAlias -file /somePath/myAlias_certificate.pem -keystore /somePath/qtCreatorGenerated.keystore

we get the same warning but the certificate is generated.
To print is content and get its signature you can do:
/opt/android/android-studio/jre/bin/keytool -printcert -file /somePath/myAlias_certificate.pem

I'll update you if Google accepts to change the certificate and if I manage to publish a new release for my application...

PS: to ask google to reset my upload certificate I followed this youtube video as I couldn't find anything else...

Basically:

log in to Google Play Console with your username
click on Account details to get your Developer account ID (copy it somewhere you'll need it)
come back on All apps and click on your app you lost the keystore
copy its package name (under the name of the app)
click on Setup -> App integrity in the left panel then on the button Request key upgrade
select I've lost the upload key which I use to sign each release and click Contact Support

All that to finally end up on Google support contact form
where you can tell them you forgot the password of the keystore and would like to reset it.
They check all the details you provide and ask you to send the new certificate.

mbruel

so it's working fine, in fact I suppose QtCreator is using android keytool command. the keystores generated are jks files.
So exporting the certificate is done with: keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks
we can then send that upload_certificate.pem to Google and it takes 2 business days to be updated and to be able to publish new release on the Play store using this new certificate.