Update Upload Keystore whose Password given in the last build attempt was wrong

Hi,

I’d really appreciate some help. I’d like to distribute my client’s app for them.

How do I update a keystore that

  1. I previously provided to Expo and tried to make a build with, where the build failed with a log mentioning the password was wrong, possibly because
  • While building, when trying to upload the keystore the previous publisher gave me, and expo-cli asked for the keystore password, alias, and key password, I guessed these values based on examples of how to use the pepk-jar tool. The “Running Gradle” build logs at the end mention
> Task :app:packageRelease FAILED
[stderr] FAILURE: Build failed with an exception.
[stderr] * What went wrong:
[stderr] Execution failed for task ':app:packageRelease'.
[stderr] > com.android.ide.common.signing.KeytoolException: Failed to read key --------- from store "/tmp/turtle/keystore------.jks": Keystore was tampered with, or password was incorrect
[stderr] * Try:
[stderr] Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.
[stderr] * Get more help at https://help.gradle.org
[stderr] BUILD FAILED in 5m 8s
1467 actionable tasks: 1467 executed
Error: ./gradlew exited with non-zero code: 1
    at ChildProcess.completionListener (/app/turtle/node_modules/@expo/xdl/node_modules/@expo/spawn-async/build/spawnAsync.js:52:23)
    at Object.onceWrapper (events.js:317:30)
    at emitTwo (events.js:126:13)
    at ChildProcess.emit (events.js:214:7)
    at maybeClose (internal/child_process.js:915:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:209:5)
    ...
    at spawnAsync (/app/turtle/node_modules/@expo/xdl/node_modules/@expo/spawn-async/build/spawnAsync.js:17:21)
    at spawnAsyncThrowError (/app/turtle/node_modules/@expo/xdl/build/detach/ExponentTools.js:235:45)
    at buildShellAppAsync (/app/turtle/node_modules/@expo/xdl/build/detach/AndroidShellApp.js:881:11)
    at <anonymous>
  1. And has no password, according to the previous publisher of the app. I’m reimplementing an app in Expo that previously was made in Ionic/Cordova, and was distributed on App and Play Store.
  • When I use expo credentials:manager -p android, or expo build:android --clear-credentials -t apk, both reach a point where

    • if I answer “I want to upload my own file” when it asks “Will you provide your own Android keystore?”

    • they ask me for the keystore password and key password, but they won’t accept an empty password if I press Enter.

When expo-cli asks you for the keystore and key passwords, it wants the passwords of the key you’re trying to upload and update with, right? Not the keystore already uploaded?

Dereks-Mac-mini:mode-lite derek$ expo credentials:manager -p android
? You are currently in a directory with @dereksleung/------- experience. Do you want to select it? Yes

@dereksleung/mode-lite
  Upload Keystore hashes
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

  Failed to parse the keystore Error: keytool exited with non-zero code: 1



? What do you want to do? Update Upload Keystore
? Will you provide your own Android Keystore? I want to upload my own file

WARNING! In this mode, we won't be able to make sure that your crdentials are valid.
Please double check that you're uploading valid files for your app otherwise you may encounter strange errors!

When building for IOS make sure you've created your App ID on the Apple Developer Portal, that your App ID
is in app.json as `bundleIdentifier`, and that the provisioning profile you
upload matches that Team ID and App ID.

? Path to the Keystore file. /Users/derek/-------
? Keystore password [hidden] (I must add one character for expo-cli to accept it) 
? Key alias
? Key password [input is hidden] (expo-cli does not accept an empty answer)

Relatedly, I’m wondering what it means I’ve done if running expo opt-in-google-play-signing gets a printout of the mistaken keystore credentials I entered that first build, like the following:

Dereks-Mac-mini:mode-lite derek$ expo opt-in-google-play-signing
Make sure you are not using Google Play App Signing already as this process will remove your current keystore from Expo servers.
You can check whether you are using Google Play App Signing here: https://play.google.com/apps/publish. Select your app and go to "Release management" → "App signing" tab. If you are already using Google Play App Signing, there will be a message that says, "App Signing by Google Play is enabled for this app", at the top of the page.
? Is Google Play App Signing enabled for this app? No
Keystore credentials
  Keystore password: -----
  Key alias:         ------
  Key password:      -----

  Path to Keystore:  /Users/derek/-----_sign.jks.bak

Expo CLI 3.5.0 environment info:
System:
OS: macOS 10.14.6
Shell: 3.2.57 - /bin/bash
Binaries:
Node: 10.15.3 - ~/.nvm/versions/node/v10.15.3/bin/node
Yarn: 1.21.1 - /usr/local/bin/yarn
npm: 6.13.4 - ~/.nvm/versions/node/v10.15.3/bin/npm
Watchman: 4.9.0 - /usr/local/bin/watchman
IDEs:
Android Studio: 3.4 AI-183.6156.11.34.5692245
Xcode: 10.3/10G8 - /usr/bin/xcodebuild
npmPackages:
expo: ^34.0.0 => 34.0.4
react: 16.8.3 => 16.8.3
react-native: https://github.com/expo/react-native/archive/sdk-34.0.2.tar.gz => 0.59.8
react-navigation: ^3.11.0 => 3.13.0
npmGlobalPackages:
expo-cli: 3.5.0

Thanks so much for having a look!

I guessed these values based on examples of how to use the pepk-jar tool

I’m not sure what do you mean by that.

And has no password, according to the previous publisher of the app

Passwords for keystore should be provided to you by someone who created the keystore. It’s technically possible for keystore to have empty password, but someone would need to use very old keytool or generate it programmatically. You cant try to covnert this keystore with keytool, run keytool -list command to verify that your keystore is in JKS format and try to change the password with
keytool -storepasswd and keytool -keypasswd commands.

When expo-cli asks you for the keystore and key passwords, it wants the passwords of the key you’re trying to upload and update with, right?

Yes, cli is asking for a password for a new keystore (to be precise it’ll ask for tho passwords, one for entire keystore and one for specific alias)

Relatedly, I’m wondering what it means I’ve done if running expo opt-in-google-play-signing gets a printout of the mistaken keystore credentials I entered that first build, like the following:

This command is only here to help with migration of old apps to the new signing process. Make sure you actually need to do this otherwise you might invalidate your current keystore.

Thanks so much for writing back!

And has no password, according to the previous publisher of the app

Passwords for keystore should be provided to you by someone who created the keystore. It’s technically possible for keystore to have empty password, but someone would need to use very old keytool or generate it programmatically. You cant try to covnert this keystore with keytool , run keytool -list command to verify that your keystore is in JKS format and try to change the password with
keytool -storepasswd and keytool -keypasswd commands.

Just because I’m new to mobile app distribution, I wanted to double-check: If I convert this keystore so that it does have a password, then use it for my app signing key while making an APK, will Play Store Console think that this is not the same key as before?

I think the answer is that Play Store will recognize it is the same key, as it contains the same private key underneath the new password?

Relatedly, I’m wondering what it means I’ve done if running expo opt-in-google-play-signing gets a printout of the mistaken keystore credentials I entered that first build, like the following:

This command is only here to help with migration of old apps to the new signing process. Make sure you actually need to do this otherwise you might invalidate your current keystore.

Ooo, when would I risk invalidating my current keystore? How do I know if I need to migrate to the new signing process? The impression I got from reading this was just that

  • “App bundles are recommended”,

and then following the link to Expo’s App Signing guide, since it says the following without any warnings,

"If you want to use Google Play App Signing in an existing app, run expo opt-in-google-play-signing and follow its instructions.

it seemed safe and not risky?

So grateful to hear from you!

Keystore is just container, public and private key inside is what is important. Converting keystore or changing password won’t affect what is stored inside. If private key used to sign apk is the same it will work on Play Store

Ooo, when would I risk invalidating my current keystore? How do I know if I need to migrate to the new signing process?

Yes it’s safe, but I have seen cases when people did sth incorrectly, app signing was not enabled and they removed original keystore. Just make sure you actually need this, all new apps have this enabled from the start for some time already.

Hey @wkozyra, sorry for the (possibly stupid :sweat_smile:) questions. I’m a bit confused by this “all new apps have this enabled” comment. Where/how does this happen? Do you mean something happens during expo init to cause “newly init-ed apps” to have this enabled? Or is this a build time thing, so any app that was first built after a certain date (or with a certain SDK or with a certain version of expo-cli) has this enabled?

I’m trying to get an idea about whether some of my apps are new enough or not. Is it possible to check if it’s enabled for a particular app?

Thanks.

Sorry I meant all new apps on Google Play.

1 Like

Thanks

I think I need to create a new keystore with a password, because when I try using keytool to set the password on the old keystore and it asks for the current password, it also tells me my password is too short when I enter the empty password.

I trust your more experienced eye, could you

  1. Look at the edited output of keytool list -v I paste below, and tell me what things exist in this keystore I need to export? Hopefully I’ve kept enough information.

Hopefully, the method of private key extraction here would work. It talks about converting to PKCS12 and using openssl to export from the new PKCS12 keystore.

I’m new at using keytool and working with keys, certificates, or other things keystores might store.

Dereks-Mac-mini:Downloads derek$ keytool -list -v -keystore -----.keystore
Enter keystore password:

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: ---
Creation date: ---
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=---, OU=Development, O=, L=Vancouver, ST=British Columbia, C=CA
Issuer: CN=---, OU=Development, O=, L=Vancouver, ST=British Columbia, C=CA
Serial number: ---
Valid from: ---
Certificate fingerprints:
	 SHA1: ---
	 SHA256: ---
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: ---

Extensions:

#1: ObjectId: --- Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: ---  ..d'.iI\.4N..Vi.
0010: ---                                       ...d
]
]



*******************************************
*******************************************