Android: Import upload key

Existing Play Store apps need the original upload key — here's how to import it on the platform.

On this page

If your app is already published on Google Play and the platform provisions it fresh, uploads often fail with “signed with the wrong key”. By default the platform generates a new upload key. Play expects your original upload key.

Upload key vs. app signing key

With Play App Signing there are two keys:

Key Who manages it Purpose
Upload key You (or the platform after import) Signs the AAB before upload
App signing key Google Signs the app delivered to users

You only need the upload key (.jks file) for import.

When import is required

  • Migrating an existing app to the platform (brownfield)
  • The app was previously published with a different CI/CD or local key
  • Pipeline error: Android App Bundle was signed with the wrong key

For new apps without a store listing, the platform-generated key is enough.

Step by step

1. Check upload key in Play Console

  1. Google Play Console → your app
  2. ReleaseSetupApp integrity (or App signing)
  3. Note the SHA-1 fingerprint under Upload key certificate

2. Obtain the .jks file

Export the upload keystore from your previous environment (Android Studio, old CI, password manager). Typical filename: upload-keystore.jks.

You need:

  • the .jks file
  • the keystore password
  • optionally a separate key password
  • the alias (often upload)

3. Import in the Application Platform

  1. Edit the project (Composer or Guided Wizard)
  2. Next to the Android bundle ID, tap the key icon (advanced)
  3. Choose Import existing upload key
  4. Upload .jks, enter passwords and alias
  5. Import — the platform stores secrets in OpenBao and shows the SHA-1
Note
Import is only available after the project is saved. For new projects, create first, then edit and import.

4. Verify SHA-1

The displayed SHA-1 must match Play Console (Upload key certificate). If not, you likely have the wrong .jks or alias.

5. Wait for IaC sync

After import the platform syncs Terraform and GitLab CI variables. The next Android pipeline signs with the imported key.

Whitelabel apps

For whitelabel projects with per-variant bundle IDs, import next to each variant’s bundle ID. The pipeline uses variant-specific variables (ANDROID_KEYSTORE_BASE64__{variant_ci_key}). Special characters in the variant id (e.g. kvb-live) are normalized to underscores for GitLab keys (kvb_live); APP_ID in CI remains the original variant id.

Reset to platform key

In the import dialog you can choose Reset to platform key. This removes the import and generates a new key on the next sync — only for apps without an existing store listing.

See also