Home » Android » android – How to generate 11 char hash key for Sms Retriever with Google App signing

android – How to generate 11 char hash key for Sms Retriever with Google App signing

Posted by: admin April 23, 2020 Leave a comment


I had generated the 11 char hash using the AppSignatureHelper class. But after uploading the apk to play store, they hash doesn’t work anymore. And I found out that Play replaces the key with another one which is why the hash gets changed as well. Now I’m having trouble getting the 11 char hash key.

I don’t know how to use the commands given by Google. I found this command from here

keytool -exportcert -alias MyAndroidKey -keystore MyProductionKeys.keystore | xxd -p | tr -d "[:space:]" | echo -n com.example.myapp `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

Since, Play App signing is enabled for my app, I’ll have to use this command,

keytool -exportcert -keystore MyProductionKeys.keystore | xxd -p | tr -d "[:space:]" | echo -n com.example.myapp `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

I’ve replaced keytool with its path from the JDK’s bin folder but then it was saying xxd was not recognized so I downloaded it from a website now it’s saying tr is not recognized, I guess it’ll say that for cut as well.

Please pardon me if it seems too noob of me asking it, but how can I resolve this?

UPDATE: I’ve tried the second command from above on a linux machine, the command worked and gave me 11 character hash but still the SMS Retriever is not working.

SOLUTION: With the help of Nick Fortescue’s answer, I downloaded the DER formatted file. Then converted it to a .jks file using the following command,

keytool -importcert -alias myalias -file deployment_cert.der -keystore certificate.jks -storepass mypassword

Then performed the first command from above on certificate.jks and it worked!

How to&Answers:

Here is the complete step by step guide .

  1. Go to play console -> open app -> Release management -> App Signing -> Download Certificate . Like in below screen shot

enter image description here

This will give you deployment_cert.der file

  1. Convert the deployment_cert.der file to a .jks file

use below command

keytool -importcert -alias YOUR_ALIAS -file deployment_cert.der -keystore certificate.jks -storepass YOUR_PASSWORD

Replace YOUR_ALIAS,YOUR_PASSWORD with yours which used in keystore . In place of deployment_cert.der use complete path if required

After entering this command it will ask

Trust this certificate? [no]: yes

type yes and click enter . It will show message

Certificate was added to keystore

This will generate a new file certificate.jks

  1. Now in terminal enter command

    keytool -exportcert -alias YOUR_ALIAS -keystore certificate.jks | xxd -p | tr -d "[:space:]" | echo -n YOUR_PACKAGE `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

Replace YOUR_ALIAS,YOUR_PACKAGE with yours which used in keystore,project . In place of certificate.jks use complete path if required

it will ask for password

Enter keystore password: mypassword

enter your password and you will get the hash .

EDIT For MacOS users:

If you’re using MacOS you can install sha256sum by installing coreutils like this:

brew install coreutils

Or you can use shasum -a 256 instead of sha256sum like this:

keytool -exportcert -alias YOUR_ALIAS -keystore certificate.jks | xxd -p | tr -d "[:space:]" | echo -n YOUR_PACKAGE `cat` | shasum -a 256 | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

Credits to Abhinav Gupta and Op of this question Farhan Farooqui and above answer from Nick Fortescue


In the help documents for Google Play App Signing it has a section “New Apps”. Step 4 in this section is:

Step 4: Register your app signing key with API providers
If your app uses any API, you will usually need to register the certificate of the key Google signs your app with for authentication purposes. This is usually done through the fingerprint of the certificate.

To find the certificate of the key Google uses to re-sign your APK for delivery:

  1. Sign in to your Play Console.
    1. Select an app.
    2. On the left menu, click Release management > App signing.
    3. From this page, you can copy the most common fingerprints (MD5, SHA-1 and SHA-256) of your app signing certificate. If the API provider requires a different type of fingerprint, you can also download the original certificate in DER format and run it through the transformation tools that the API provider requires.

Download the original certificate in DER format and then use your command on that certificate.


As default bash commands were not working for me and I needed to generate hashes for both local keystore and Google Play certificate, I wrote my own Ruby script for that: https://github.com/michalbrz/sms-retriever-hash-generator/blob/master/google_play_sign.rb

Then generating hash with Google Play signing is just:

ruby google_play_sign.rb --package com.your.app --google-play-key deployment_key.der

where deployment_key.der is certificate downloaded from Google Play as in Nick’s response.

Under the hood it transforms Google Play cert into keystore and basically does what other suggested bash commands do, but wraps it in something easier to use.


try this

C:\Program Files\Java\jdk1.8.0_25\bin> keytool -exportcert -alias *Alias -keystore *keystorePath | C:\OpenSSL\bin\openssl.exe sha1 -binary | C:\OpenSSL\bin\openssl.exe base64

replace *Alias with your alias and *keystorePath with your kestore location. Also put right path of openssl.exe if its installed to another directory


I found all those commands and the process itself a little bit messy (I also have projects with 4 environment with 4 different packages), so what I did is to include the hash on the payload from the client when the client request a OTP, then the server save it (trust on first use) for manual review on the content management system.
Didn’t find any security aspect using this method


I know I replied very late. But I got the solution for this.

First follow the steps given by Manoher Reddy as above.

If this not work, try following alternate solution, it worked for me in various apps:

provide the play store generated hash to backend. For generating hash key on playstore, i have used AppSignatureHelper class and make Toast for the generated hash key and upload this build on play store. After successfully rollout, i have download the build. Now Toast will show with the playstore generated hash key, provide this key to backend. It is working fine for me.