google-play,keytool"/>
  • 4
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

I had generated the 11 char hash using the AppSignatureHelper class. But after uploading the apk to play store, they hash doesn't work anymore. And I found out that Play replaces the key with another one which is why the hash gets changed as well. Now I'm having trouble getting the 11 char hash key.

I don't know how to use the commands given by Google. I found this command from here

keytool -exportcert -alias MyAndroidKey -keystore MyProductionKeys.keystore | xxd -p | tr -d "[:space:]" | echo -n com.example.myapp `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

Since, Play App signing is enabled for my app, I'll have to use this command,

keytool -exportcert -keystore MyProductionKeys.keystore | xxd -p | tr -d "[:space:]" | echo -n com.example.myapp `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

I've replaced keytool with its path from the JDK's bin folder but then it was saying xxd was not recognized so I downloaded it from a website now it's saying tr is not recognized, I guess it'll say that for cut as well.

Please pardon me if it seems too noob of me asking it, but how can I resolve this?

UPDATE: I've tried the second command from above on a linux machine, the command worked and gave me 11 character hash but still the SMS Retriever is not working.

SOLUTION: With the help of Nick Fortescue's answer, I downloaded the DER formatted file. Then converted it to a .jks file using the following command,

keytool -importcert -alias myalias -file deployment_cert.der -keystore certificate.jks -storepass mypassword

Then performed the first command from above on certificate.jks and it worked!

Here is the complete step by step guide .

  1. Go to play console -> open app -> Release management -> App Signing -> Download Certificate . Like in below screen shot

enter image description here

This will give you deployment_cert.der file

  1. Convert the deployment_cert.der file to a .jks file

use below command

keytool -importcert -alias YOUR_ALIAS -file deployment_cert.der -keystore certificate.jks -storepass YOUR_PASSWORD

Replace YOUR_ALIAS,YOUR_PASSWORD with yours which used in keystore . In place of deployment_cert.der use complete path if required

After entering this command it will ask

Trust this certificate? [no]: yes

type yes and click enter . It will show message

Certificate was added to keystore

This will generate a new file certificate.jks

  1. Now in terminal enter command

    keytool -exportcert -alias YOUR_ALIAS -keystore certificate.jks | xxd -p | tr -d "[:space:]" | echo -n YOUR_PACKAGE `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

Replace YOUR_ALIAS,YOUR_PACKAGE with yours which used in keystore,project . In place of certificate.jks use complete path if required

it will ask for password

Enter keystore password: mypassword

enter your password and you will get the hash .

EDIT For MacOS users:

If you're using MacOS you can install sha256sum by installing coreutils like this:

brew install coreutils

Or you can use shasum -a 256 instead of sha256sum like this:

keytool -exportcert -alias YOUR_ALIAS -keystore certificate.jks | xxd -p | tr -d "[:space:]" | echo -n YOUR_PACKAGE `cat` | shasum -a 256 | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

Credits to Abhinav Gupta and Op of this question Farhan Farooqui and above answer from Nick Fortescue

  • 31
Reply Report

In the help documents for Google Play App Signing it has a section "New Apps". Step 4 in this section is:

Step 4: Register your app signing key with API providers If your app uses any API, you will usually need to register the certificate of the key Google signs your app with for authentication purposes. This is usually done through the fingerprint of the certificate.

To find the certificate of the key Google uses to re-sign your APK for delivery:

  1. Sign in to your Play Console.
    1. Select an app.
    2. On the left menu, click Release management > App signing.
    3. From this page, you can copy the most common fingerprints (MD5, SHA-1 and SHA-256) of your app signing certificate. If the API provider requires a different type of fingerprint, you can also download the original certificate in DER format and run it through the transformation tools that the API provider requires.

Download the original certificate in DER format and then use your command on that certificate.

  • 9
Reply Report
      • 1
    • Hi, thanks for your reply. I've found the DER formatted file, Now I just have to replace MyProductionKeys.keystore with the DER file's path in the command?
      • 1
    • I had used the SHA-256 before and tried to get the 11 char Hash, but that doesn't work either, SMS Retriever can't detect it
      • 2
    • keytool -exportcert -alias MyAndroidKey -keystore MyProductionKeys.keystore | xxd -p | tr -d "[:space:]" | echo -n com.example.myapp cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11` this command needs alias which is not provided with Play provided DER file.

As default bash commands were not working for me and I needed to generate hashes for both local keystore and Google Play certificate, I wrote my own Ruby script for that: https://github.com/michalbrz/sms-retriever-hash-generator/blob/master/google_play_sign.rb

Then generating hash with Google Play signing is just:

ruby google_play_sign.rb --package com.your.app --google-play-key deployment_key.der

where deployment_key.der is certificate downloaded from Google Play as in Nick's response.

Under the hood it transforms Google Play cert into keystore and basically does what other suggested bash commands do, but wraps it in something easier to use.

  • 5
Reply Report
      • 1
    • I'm getting this doing your command, some suggestion why I can't get the hash: ruby google_play_sign.rb --package com.xxxx.xxxx --google-play-key deployment_key.der Traceback (most recent call last): 2: from google_play_sign.rb:86:in
      ' 1: from google_play_sign.rb:59:in der_to_keystore' google_play_sign.rb:59:in ``': No such file or directory - keytool -importcert -alias myalias -file deployment_key.der -keystore gp_imported_keystore_temp.jks -storepass mypassword -noprompt (Errno::ENOENT)
    • @S.P. Simple explanation would be that your deployment_key.der doesn't exists. Are you sure you are putting correct path there? If you're sure, you can check if command keytool -importcert -alias myalias -file DER_FILE_PATH -keystore gp_imported_keystore_temp.jks -storepass pwd -noprompt would work for you - of course you should substitute DER_FILE_PATH with real path.

I know I replied very late. But I got the solution for this.

First follow the steps given by Manoher Reddy as above.

If this not work, try following alternate solution, it worked for me in various apps:

provide the play store generated hash to backend. For generating hash key on playstore, i have used AppSignatureHelper class and make Toast for the generated hash key and upload this build on play store. After successfully rollout, i have download the build. Now Toast will show with the playstore generated hash key, provide this key to backend. It is working fine for me.

  • 1
Reply Report

try this

C:\Program Files\Java\jdk1.8.0_25\bin> keytool -exportcert -alias *Alias -keystore *keystorePath | C:\OpenSSL\bin\openssl.exe sha1 -binary | C:\OpenSSL\bin\openssl.exe base64

replace *Alias with your alias and *keystorePath with your kestore location. Also put right path of openssl.exe if its installed to another directory

  • 0
Reply Report

I found all those commands and the process itself a little bit messy (I also have projects with 4 environment with 4 different packages), so what I did is to include the hash on the payload from the client when the client request a OTP, then the server save it (trust on first use) for manual review on the content management system. Didn't find any security aspect using this method

  • 0
Reply Report