If your app is already published on Google Play and the platform provisions it fresh, uploads often fail with “signed with the wrong key”. By default the platform generates a new upload key. Play expects your original upload key.
Upload key vs. app signing key
With Play App Signing there are two keys:
| Key | Who manages it | Purpose |
|---|---|---|
| Upload key | You (or the platform after import) | Signs the AAB before upload |
| App signing key | Signs the app delivered to users |
You only need the upload key (.jks file) for import.
When import is required
- Migrating an existing app to the platform (brownfield)
- The app was previously published with a different CI/CD or local key
- Pipeline error: Android App Bundle was signed with the wrong key
For new apps without a store listing, the platform-generated key is enough.
Step by step
1. Check upload key in Play Console
- Google Play Console → your app
- Release → Setup → App integrity (or App signing)
- Note the SHA-1 fingerprint under Upload key certificate
2. Obtain the .jks file
Export the upload keystore from your previous environment (Android Studio, old CI, password manager). Typical filename: upload-keystore.jks.
You need:
- the
.jksfile - the keystore password
- optionally a separate key password
- the alias (often
upload)
3. Import in the Application Platform
- Edit the project (Composer or Guided Wizard)
- Next to the Android bundle ID, tap the key icon (advanced)
- Choose Import existing upload key
- Upload
.jks, enter passwords and alias - Import — the platform stores secrets in OpenBao and shows the SHA-1
4. Verify SHA-1
The displayed SHA-1 must match Play Console (Upload key certificate). If not, you likely have the wrong .jks or alias.
5. Wait for IaC sync
After import the platform syncs Terraform and GitLab CI variables. The next Android pipeline signs with the imported key.
Whitelabel apps
For whitelabel projects with per-variant bundle IDs, import next to each variant’s bundle ID. The pipeline uses variant-specific variables (ANDROID_KEYSTORE_BASE64__{variant_ci_key}). Special characters in the variant id (e.g. kvb-live) are normalized to underscores for GitLab keys (kvb_live); APP_ID in CI remains the original variant id.
Reset to platform key
In the import dialog you can choose Reset to platform key. This removes the import and generates a new key on the next sync — only for apps without an existing store listing.