Securing and Optimizing Your App with Google Play App Signing

Google officially announced the new Android App signing technique during Google I/O ‘17.

The new app signing technique enables Google securely manage developers’app signing keys.

Diagrammatic explanation of how app signing works today.

Without Google App Signing (the old signing technique), you sign your app with your app signing key, upload to playstore and Google distribute your app to your users.

Diagrammatic explanation of Google App Signing.

With the new technique, you are not required to personally sign your app with the app signing key. Here is how it works:

  1. You sign your app with an upload_key; which you will generate on your Android Studio — “AS”
  2. Google removes and verify the upload_key.
  3. Finally, Google re-sign the app with the original app signing key you provided and the app would be delivered to the users.

There are some pros and cons of the new signing technique:


  1. Your app signing key is more secured because they are stored on the infrastructures Google uses to secure it’s own keys. Without this Google App signing, if you lose your app signing key, you would no longer be able to release new updates for your app, hence, you need to release a new app with a new package name. Oh no 🤦🏽‍♂, that would be a very terrible experience.
  2. Your app would not be compromised if you lose your upload_key to a third party; Google manages your key. Google would reset it and that would save your app. Isn’t that good?


If you need to test the signed version of your app before uploading to playstore, you may need to first sign the app with the original app signing key though you would still need to sign it with the upload_key for you to upload to the Google server.

Important notice:

Google Play App Signing is optional. You can keep managing your key if you do not like it.

Once you enroll to this new app signing technique, you can no longer revert the process. Hence, be sure you agree with the terms and condition before you finally enroll to it.

More so, ensure you have a backup of your original app signing key (the private key you do use to sign your app) before you embark on this process. This put you on a safer side should in case you damage/corrupt your app signing key during this process.

Let’s do a walk-through of the new signing process:

Nota bene: This write-up is written for existing apps on Google Playstore.

Go to your Google Play Console, Click Release managementApp signing

Getting started with the Google App Signing.

1. Encryption of your Original App Signing Key.

Download the Pepk (Play Encrypt Private Key) tool as shown below. This should be found in your system download directory after a successful download.

Pepk tool: for exporting private keys from a Java Keystore and encrypting them for transfer to Google Play.

Open terminal (Mac OS) or CMD (Windows OS) and run the command line (you can copy if from your Google play console) shown below to run the Perk tool. Don’t forget to replace the parameters highlighted in bold. The command is meant to encrypt your original app signing key.

N.B: The command line might not run if you are using JDK lower than 8.

Explanation of terms (in the command):

  1. The pepk.jar (though not highlighted in bold in the command line) should be replaced with the path to the pepk tool you downloaded earlier. Something like /Users/yourUsername/Downloads/pepk.jar
  2. foo.keystore (keystore) is the path to the keystore containing your private key (original app signing key) to export. Something like /Users/yourUsername/Documents/Appkeys/keystore
  3. foo (alias) is the alias of the private key of the app you want to sign.
  4. encrypted_private_key_path (output) is the path to file in which to output the encrypted private key. You choose a name for it so it could look like: /Users/yourUsername/Documents/Appkeys/encryptedPrivateKey

The command would prompt you to input your key store and key password.

N.B: While you are typing the password, it would NOT display on your screen though it recognizes it.

If this command run successfully, an encrypted private key would be generated (mine is saved as encryptedPrivateKey based on the name I chose above) , upload it to your Googleplay console as shown below

Button to upload the encrypted app signing key.

2. Generation of a New Upload Key.

The new upload_key is the key you would be using to sign your app subsequently rather than the original app signing key.

You need to generate an upload_key using the key generation process in AS. On your AS toolbars, click BuildGenerate Signed APK

The dialog below would pop up.

Click Next. Then the dialog below pops up.

Click Create new… button and the dialog below to generate the upload_key would pop up.

Replace the details in the dialog with yours. Select a path to save your key store. The android.jks in the key store path is what you want to name the file to save the upload_key. It should have the .jks (JAVA keystore) extension. You can increase the validity period to the years you desired. The maximum validity is 1,000 (years).

Click Ok button and the upload_key is generated. You can check the path you specified to save it to confirm it’s creation.

3. Certificate Generation for the Upload Key.

Now, we need to generate/export a certificate for the upload_key generated in step (2).

Use the command below to do the operation. Ensure that you replace the arguments highlighted in bold.

Command for certificate generation

Explanation of terms:

upload-keystore.jks (keystore) is the path to the keystore of the upload_key generated in step 2. Something like /Users/yourUsername/Documents/AppKeys/uploadKeystore.jks

upload (alias) is the alias of the upload_key you generated in step 2.

upload_certificate.pem (file) is the name (in PEM format) you need to choose for the certificate which would be generated. Something like /Users/yourUsername/Documents/AppKeys/upload_certificate.pem

If the command run successfully, a .pem certificate would be generated. Click the button (as shown below in your Google console account) to upload the certificate.

4. Enrollment to Google App Signing.

It is time to enroll the app to Google App Signing. Enrolling to it means:

  • Permanent enrollment of your app in Google Play App Signing.
  • Transfer of your app signing key to Google.
  • Registration of a new upload key that should be used for all subsequent APK uploads

Finally, Click the ENROLL button and you are good to go.

N.B: Henceforth, you will be signing your app with upload_key. Google would then re-sign your app with the encrypted private key you uploaded in step 1.


If you find this useful, kindly clap for me so others will see it on Medium.

Kindly leave your comments, enquiries, questions or observation.

Thanks to Amit Shekhar for reviewing this.

Yours in life-long learning, Abayomi.