I had generated the 11 char hash using the
AppSignatureHelper class. But after uploading the apk to play store, they hash doesn’t work anymore. And I found out that Play replaces the key with another one which is why the hash gets changed as well. Now I’m having trouble getting the 11 char hash key.
I don’t know how to use the commands given by Google. I found this command from here
keytool -exportcert -alias MyAndroidKey -keystore MyProductionKeys.keystore | xxd -p | tr -d "[:space:]" | echo -n com.example.myapp `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11
Since, Play App signing is enabled for my app, I’ll have to use this command,
keytool -exportcert -keystore MyProductionKeys.keystore | xxd -p | tr -d "[:space:]" | echo -n com.example.myapp `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11
keytool with its path from the JDK’s bin folder but then it was saying
xxd was not recognized so I downloaded it from a website now it’s saying
tr is not recognized, I guess it’ll say that for
cut as well.
Please pardon me if it seems too noob of me asking it, but how can I resolve this?
UPDATE: I’ve tried the second command from above on a linux machine, the command worked and gave me 11 character hash but still the SMS Retriever is not working.
SOLUTION: With the help of Nick Fortescue’s answer, I downloaded the DER formatted file. Then converted it to a .jks file using the following command,
keytool -importcert -alias myalias -file deployment_cert.der -keystore certificate.jks -storepass mypassword
Then performed the first command from above on certificate.jks and it worked!
Here is the complete step by step guide .
- Go to play console -> open app -> Release management -> App Signing -> Download Certificate . Like in below screen shot
This will give you
- Convert the
deployment_cert.derfile to a
use below command
keytool -importcert -alias YOUR_ALIAS -file deployment_cert.der -keystore certificate.jks -storepass YOUR_PASSWORD
Replace YOUR_ALIAS,YOUR_PASSWORD with yours which used in keystore . In place of
deployment_cert.der use complete path if required
After entering this command it will ask
Trust this certificate? [no]: yes
type yes and click enter . It will show message
Certificate was added to keystore
This will generate a new file
Now in terminal enter command
keytool -exportcert -alias YOUR_ALIAS -keystore certificate.jks | xxd -p | tr -d "[:space:]" | echo -n YOUR_PACKAGE `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11
Replace YOUR_ALIAS,YOUR_PACKAGE with yours which used in keystore,project . In place of
certificate.jks use complete path if required
it will ask for password
Enter keystore password: mypassword
enter your password and you will get the hash .
EDIT For MacOS users:
If you’re using MacOS you can install sha256sum by installing coreutils like this:
brew install coreutils
Or you can use
shasum -a 256 instead of
sha256sum like this:
keytool -exportcert -alias YOUR_ALIAS -keystore certificate.jks | xxd -p | tr -d "[:space:]" | echo -n YOUR_PACKAGE `cat` | shasum -a 256 | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11
In the help documents for Google Play App Signing it has a section “New Apps”. Step 4 in this section is:
Step 4: Register your app signing key with API providers
If your app uses any API, you will usually need to register the certificate of the key Google signs your app with for authentication purposes. This is usually done through the fingerprint of the certificate.
To find the certificate of the key Google uses to re-sign your APK for delivery:
- Sign in to your Play Console.
- Select an app.
- On the left menu, click Release management > App signing.
- From this page, you can copy the most common fingerprints (MD5, SHA-1 and SHA-256) of your app signing certificate. If the API provider requires a different type of fingerprint, you can also download the original certificate in DER format and run it through the transformation tools that the API provider requires.
Download the original certificate in DER format and then use your command on that certificate.
As default bash commands were not working for me and I needed to generate hashes for both local keystore and Google Play certificate, I wrote my own Ruby script for that: https://github.com/michalbrz/sms-retriever-hash-generator/blob/master/google_play_sign.rb
Then generating hash with Google Play signing is just:
ruby google_play_sign.rb --package com.your.app --google-play-key deployment_key.der
deployment_key.der is certificate downloaded from Google Play as in Nick’s response.
Under the hood it transforms Google Play cert into keystore and basically does what other suggested bash commands do, but wraps it in something easier to use.
C:\Program Files\Java\jdk1.8.0_25\bin> keytool -exportcert -alias *Alias -keystore *keystorePath | C:\OpenSSL\bin\openssl.exe sha1 -binary | C:\OpenSSL\bin\openssl.exe base64
replace *Alias with your alias and *keystorePath with your kestore location. Also put right path of openssl.exe if its installed to another directory
I found all those commands and the process itself a little bit messy (I also have projects with 4 environment with 4 different packages), so what I did is to include the hash on the payload from the client when the client request a OTP, then the server save it (trust on first use) for manual review on the content management system.
Didn’t find any security aspect using this method
I know I replied very late. But I got the solution for this.
First follow the steps given by Manoher Reddy as above.
If this not work, try following alternate solution, it worked for me in various apps:
provide the play store generated hash to backend. For generating hash key on playstore, i have used AppSignatureHelper class and make Toast for the generated hash key and upload this build on play store. After successfully rollout, i have download the build. Now Toast will show with the playstore generated hash key, provide this key to backend. It is working fine for me.