1

Possible Duplicate:
Lost my keystore for uploaded app on android market

I'm pushing a new version of an Android app to the Google Play Store and I want it to trigger an update for the current users of the app and not treat it as a new version. I don't have the private key that was originally used to sign the existing app, so I'm trying the following to recover it.

I'm able to get to step 3, but I'm unsure what the .keystore file name is for the keytool -list -keystore my-signing-key.keystore command, any ideas?

  1. First, unzip the APK and extract the file /META-INF/ANDROID_.RSA (this file may also be CERT.RSA, but there should only be one .RSA file).

  2. Then issue this command:

    keytool -printcert -file ANDROID_.RSA You will get certificate fingerprints like this:

    MD5: B3:4F:BE:07:AA:78:24:DC:CA:92:36:FF:AE:8C:17:DB SHA1: 16:59:E7:E3:0C:AA:7A:0D:F2:0D:05:20:12:A8:85:0B:32:C5:4F:68 Signature algorithm name: SHA1withRSA

  3. Then use the keytool again to print out all the aliases of your signing keystore:

    keytool -list -keystore my-signing-key.keystore

You will get a list of aliases and their certificate fingerprint:

android_key, Jan 23, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): B3:4F:BE:07:AA:78:24:DC:CA:92:36:FF:AE:8C:17:DB

Voila! we can now determined the apk has been signed with this keystore, and with the alias 'android_key'.

Community
  • 1
  • 1
c12
  • 9,557
  • 48
  • 157
  • 253
  • This is not possible, and needs to be closed as it has been covered here many times before, for example [Lost my keystore for uploaded app on android market](http://stackoverflow.com/questions/11715621/lost-my-keystore-for-uploaded-app-on-android-market) – Chris Stratton Nov 07 '12 at 21:30

1 Answers1

6

Unless you have the original keystore file that holds the private key, you can't extract it from the .apk. The .apk contains only the public key and the signature generated using the private key, but it does not actually contain the private key itself.

Consider this - if the .apk contained the actual private key, and the instructions for extracting it were so easy, anyone would be able to get Google, Facebook, Microsoft, or Amazon private key from their apps and sign any malware with it. (Apple is immune to such an attack, as they do not ship any Android software :-P)

So, unless you have access to the original keystore file (and you know the passphrase - thanks @323go) that was used to sign the previous .apk, I fear you're out of luck.

Franci Penov
  • 74,861
  • 18
  • 132
  • 169
  • I see, thanks for the response. So as long as I get the original keystore file I'll be able to resign the new version with it? – c12 Nov 07 '12 at 21:35
  • 2
    As long as you have the original keystore AND THE PASSPHRASE for that keystore file, you're good. If not, you'll have to abandon the app or remove it. – 323go Nov 07 '12 at 21:49
  • as @323go mentioned, you also need to know the passphrase for that keystore. I'll update the answer. – Franci Penov Nov 07 '12 at 22:58
  • hello c12, can you please give me method of recover signed key from apk. i lost my signed key. – sanjay bhansali Jul 20 '15 at 11:20
  • 1
    Out of the three parameters (1) keystore password, (2) key alias, and (3) private key password, you can find out the first two using this method that renames (1) : https://gist.github.com/zach-klippenstein/4631307 and if you were the creator of the keystore but kept poor records, then armed with some self-knowledge you can now try out various likely private passwords that your tired brain might have applied back in the day. See also https://plus.google.com/+ZachKlippenstein/posts/6jshPnmn2PW – Gunnar Forsgren - Mobimation Sep 22 '15 at 09:26