A few days ago, I decided to update some of my demo apps on Google Play. These apps I don’t really use or maintain - just keep on Play for experimentations with the console. Google kept bugging me about updating the API level on the apps, so I decided to bite the bullet and actually fucking do it.

Now, the migration itself was pretty hard. According to Google, they had switched to the new AndroidX and Jetpack whatever, and were actively urging developers to migrate when they built their apps for API 28. Supposedly, it offers mroe decoupled libraries so we don’t spend our years on downloading shit from JCenter and Maven or whatever. And with all good things - there’s a catch: you need specifically Android Studio 3.2+ in order to migrate your existing projects to AndroidX. Since I didn’t want to move to the Cancerary (Cancer + Canary, gedit?) release lane, I had to wait weeks until they started pushing out 3.2 to the stable line.

After migration was over (goddamn, I had forgotten how much I hated the slowness of Android Studio) it was time to upload. I grabbed my keystore from my airgapped device, signed the damn apk Android App eXtension Deluxe 3.99999+ Infinity Bundle now apparently, and then tried to upload it all to the Play Store.

Uh-oh. Play Store refused my app. Wrong keys.

Finding the correct key

Panicking, I looked at my airgapped device. Bit-rot? Missing keys? How could it be?

Fortunately, I had backups of my keystore in a separate device, so I wasn’t very worried. But where was this key?

I managed to recover a key marked upload.jks from my airgapped machine. However, the file itself was only 3KB, and Android Studio did not recognize the contents. The file was completely corrupted. I had lost my upload key.

Understanding how keys work

And then I remembered why the keys did not work. Google Play Signing was the answer.

Basically, Google Play Signing will take your private key that you’ve been using. Then, if you upload a separate, UPLOAD-only key, you could use THAT key instead of your main keystore to sign your app. Since Google kept your private key, they could break open your app, change and optimize shit for their store, and then resign it with your private key, so from the end-user’s perspective, nothing because the end-user need not know anything they’d get the same app with the same key with no update conflicts.

My problem was, I had given Google Play my private key before, and an upload key. Then I had lost the upload key due to file corruption. Therefore, when I had signed my app again with my private key, Google rejected it because it wasn’t signed with my upload key.

Fortunately, there’s a fix - but it came at the cost of waiting.

Emailing Google Play no-support

Here’s the silver lining to my problem - Google allows developers to replace their upload key if they lose it - a main selling-point for their App Signing shenanigans. I decided to email Google Play support.

On their website, Google Play Developer Console provides a form for contacting support. I generated a new keystore, exported my upload key per their instructions and waited.

And waited.

Nobody got back to me. I grew frustrated. I ended up using the Help button on the Google Play Console, selected Live Chat (Note: Your language must be set to English) and was connected to a chat representative I’ll call Mr. S for the duration of this blog post.

Mr. S took quite a while looking at my developer account, then said he’d email me back after looking at it some more. The chat session disconnected, and I was left on my own for a few hours. Then my inbox pinged. Mr. S left an email asking me to reply with an upload certificate (the public one.)

I replied earnestly with my public certificate. He got back after a few hours and told me my new key had been replaced, but I couldn’t use it straightaway. There was a waiting period of two days. Yes, you heard that right. Two whole days.

keystore-1

This means if you lose your key and your app has a showstopper bug, then press F to pay respects you’re fucked.

Fortunately, this was an experiment app, so I wasn’t too invested in it, and there was only 5 active installs, but if this was a production app, I would’ve been fucked to the core.

Conclusion

Backup your keystores. Store them on airgapped phones or whatever. Just do it.

And also, try out Google Play App Signing. They literally saved my ass today.