In the Google Play Console, you can upload an encrypted app signing key to convert an existing app to use Google managed app signing: https://support.google.com/googleplay/android-developer/answer/9842756?hl=en#zippy=%2Cexisting-apps
There are 3 different methods offered, which all result in the same encrypted key, but starting from different kinds of input:
- From Android Studio
- From Java keystore
- From non-Java keystore or custom key format
I am migrating a Google Play account previously managed by my security department, and the only input I have is a certificate and accompanying private key in PEM format.
If looking at method 3, this actually only offers a pepk-source.jar file with which supposedly you may compile your own Java tool to convert your key into the encrypted format accepted by Google. It seems very strange that there is no documented way to go from a certificate and private key into an encrypted app signing key?
Here are instructions for going from
.cer+.pemto encrypted app signing key.Below, for simplicity I use
xxxas an identifier in all commands. Replacexxxwith your desired name as needed:Input:
xxx.cer- certificatexxx.pem- private key (PEM)Instead of creating a tool to use
pepk.jarto go from the private key to an encrypted app signing key, we instead create a keystore from the cer+pem pair, and then follow the instructions for importing an app signing key from a keystore:1. Convert
.cer+.peminto.pkcs12:Note that
nameis required, as it will be used asaliaslater. This took me a while to figure out.2. Create a keystore from the pkcs12 file:
3. Run the pepk tool to convert keystore into encrypted key
Use the public key found in the Google Play console (here truncated):
4. Upload the resulting
xxx-encrypted-private-keyfile.Done!