From APK to AAB

  1. Backup your old keystore

  2. Delete the current keystore
    This forces App Inventor to generate a completely new keystore for your project.

  3. Build a new AAB (upload it to Google Play later)
    App Inventor will now automatically create a new keystore and sign the AAB with it.

  4. In Google Play Console: go to App Signing
    Google Play Console → Your App → Setup → App Integrity → App Signing
    Here you will see two keys:

  • App signing key (stored by Google)
  • Upload key (the one you must use for uploads)
    Because you deleted your old keystore, you now need to register the new upload key.
  1. Request Google to reset your upload key
    On the App Signing page, click:
    Request upload key reset (or reset upload key)
    Then Google will ask you to provide:
    The certificate (public key) generated from your new keystore

  2. Generate the certificate from your new keystore
    Open a terminal/command prompt in the folder where the new keystore is located, then run:

keytool -export -rfc -alias androidkey -file upload_certificate.pem -keystore android.keystore

Enter the password (default App Inventor keystore password = "android").
This will produce the file: upload_certificate.pem. This is the file Google needs.

  1. Upload the certificate to Google Play
    Return to Google Play → App Integrity → App Signing → Upload your certificate
    Upload the file: upload_certificate.pem

Google will then process your upload key reset (usually takes a few hours/days).


Subject: Request to reset upload key

Hello Google Play team,

I am enrolled in Play App Signing and accidentally signed my recent build with the app signing key. Because of this, I can’t upload a new release.

Please reset my upload key.

Attached is the certificate (upload_certificate.pem ) for my new upload key, which was automatically generated by App Inventor.

App package name:
appinventor.ai_<email>.appName

Thank you!

O.K. I finally have the opportunity to try.

  1. I’ve exported the current keystore and set it aside (of a side project so if I mess this up, it won’t be too bad of a disaster).

  2. I’ve created the .aab.

I’ve uploaded it. Seems to be going well.

I’ve done the App integrety thing and so far, no problems.

Sent for review. Fingers crossed.

O.K. it looks ready for rollout. Now I can try on the thing I care about. I’ll do that next week as I rant to be very sure regarding your instructions. I have about a hundred people who have this thing.

O.K., so, I’m using the Command prompt, changing the directory using chdir. And using this as the command: java -jar pepk.jar --keystore=android.keystore --alias=android --output=C:\Users\Frank\Downloads\Conversion --rsa-aes-encryption --encryption-key-path=C:\Users\Frank\Downloads\Conversion\encryption_public_key.pem

Once there, I get this prompt: Enter password for store 'android.keystore': And no matter what I type, nothing happens. If I press enter, I get this:

Can you possibly explain what I’m doing wrong?

Delete your current keystore from AI2 only after exporting and safely backing it up first.

Your old keystore is still important because Google Play is already using the old key as the App Signing Key (added correct terminology to distinguish it from the Upload Key). Existing users will still be able to receive updates because Google continues signing the distributed APKs with that original key.

After deleting the keystore in AI2, build the AAB again. AI2 will then automatically generate a new keystore during the build process.

The newly generated keystore becomes your new Upload Key. This key is only used to authenticate uploads to Google Play; it does not replace the original App Signing Key stored by Google.

So the correct workflow is:

  1. Export and securely store the old keystore first (added explicit backup step).
  2. Delete the local keystore from AI2.
  3. Build a new AAB in AI2.
  4. AI2 automatically generates a new keystore during the build.
  5. Upload the AAB to Google Play.

So in short, you sign the upload. Google signs the app.


If Google requires an encrypted keystore, the command should look like this:

java -jar pepk.jar \
--keystore=android.keystore \
--alias=androidkey \
--output=encrypted_key.zip \
--rsa-aes-encryption \
--encryption-key-path=encryption_public_key.pem \
--include-cert

or:
java -jar pepk.jar --keystore=android.keystore --alias=androidkey --output=encrypted_key.zip --rsa-aes-encryption --encryption-key-path=encryption_public_key.pem --include-cert

The alias must be "androidkey".

Delete your current keystore from AI2 only after exporting and safely backing it up first.

Done back in December. Not the issue.

Your old keystore is still important because Google Play is already using the old key as the App Signing Key (added correct terminology to distinguish it from the Upload Key). Existing users will still be able to receive updates because Google continues signing the distributed APKs with that original key.

Great. I still did it back in December.

After deleting the keystore in AI2, build the AAB again. AI2 will then automatically generate a new keystore during the build process.

Great

The newly generated keystore becomes your new Upload Key. This key is only used to authenticate uploads to Google Play; it does not replace the original App Signing Key stored by Google.

Great. Doing that is the problem.

So the correct workflow is:

  1. Export and securely store the old keystore first (added explicit backup step).

  2. Delete the local keystore from AI2.

  3. Build a new AAB in AI2.

  4. AI2 automatically generates a new keystore during the build.

  5. Upload the AAB to Google Play.

  1. Done. Months ago.
  2. Done. Months ago.
  3. Done and done and done.
  4. Fantastic.
  5. Before I created the encrypoted keystore which is where I’m actually having a problem?

So in short, you sign the upload. Google signs the app.

At which point the old key becomes useless unless I can get it in a form Google wants which is the actual problem.

If Google requires an encrypted keystore, the command should look like this:


java -jar pepk.jar \
--keystore=android.keystore \
--alias=androidkey \
--output=encrypted_key.zip \
--rsa-aes-encryption \
--encryption-key-path=encryption_public_key.pem \
--include-cert

or:
java -jar pepk.jar --keystore=android.keystore --alias=androidkey --output=encrypted_key.zip --rsa-aes-encryption --encryption-key-path=encryption_public_key.pem --include-cert

The alias must be "androidkey".

So, how do I get this:

java -jar pepk.jar --keystore=android.keystore --alias=android --output=C:\Users\Frank\Downloads\Conversion --rsa-aes-encryption --encryption-key-path=C:\Users\Frank\Downloads\Conversion\encryption_public_key.pem

into a form that works?

output should be a zip filename and not only a directory

Taifun

java -jar pepk.jar --keystore=android.keystore --alias=androidkey --output=C:\Users\Frank\Downloads\Conversion\encrypted_key.zip --rsa-aes-encryption --encryption-key-path=C:\Users\Frank\Downloads\Conversion\encryption_public_key.pem --include-cert

So:

  • --alias=androidkey
  • --output=...encrypted_key.zipzip filename
  • --include-cert (add this part at the end)

Or run the command directly in the folder where the keystore is located. Then you can do it exactly as I showed (without making any adjustments).

Thank you. Does it matter what the name is so long as I end it with .zip?

Thank you. That was helpful.

O.K., I’ve tried this. When it got to asking me for the password, I typed android, but no characters appeared and this was the result:

In text:

C:\Users\Frank\Downloads\Conversion>java -jar pepk.jar --keystore=android.keystore --alias=androidkey --output=C:\Users\Frank\Downloads\Conversion\encrypted_key.zip --rsa-aes-encryption --encryption-key-path=C:\Users\Frank\Downloads\Conversion\encryption_public_key.pem --include-cert
Enter password for store 'android.keystore':
Error: Unable to export or encrypt the private key
java.io.IOException: Keystore was tampered with, or password was incorrect
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:804)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226)
at java.base/java.security.KeyStore.load(KeyStore.java:1497)
at com.google.wireless.android.vending.developer.signing.tools.extern.export.KeystoreHelper.loadKeystore(KeystoreHelper.java:53)
at com.google.wireless.android.vending.developer.signing.tools.extern.export.KeystoreHelper.getKeystore(KeystoreHelper.java:39)
at com.google.wireless.android.vending.developer.signing.tools.extern.export.ExportEncryptedPrivateKeyTool.run(ExportEncryptedPrivateKeyTool.java:207)
at com.google.wireless.android.vending.developer.signing.tools.extern.export.ExportEncryptedPrivateKeyTool.main(ExportEncryptedPrivateKeyTool.java:165)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:802)
... 6 more

Any idea what I’m doing wrong? And jsut to remind you, I copied and pasted this exactly:

java -jar pepk.jar --keystore=android.keystore --alias=androidkey --output=C:\Users\Frank\Downloads\Conversion\encrypted_key.zip --rsa-aes-encryption --encryption-key-path=C:\Users\Frank\Downloads\Conversion\encryption_public_key.pem --include-cert

Enter this command:
keytool -list -v -keystore android.keystore
(Password: "android")

If this fails, the password is incorrect (you must have changed it at some point). If it works, then the alias is incorrect.


I just successfully verified it using one of my keystores (AT.keystore created in 2015):

O.K., so this happened:

This is what I typed (well, pasted):slight_smile: C:\Users\Frank\Downloads\Conversion>java -jar pepk.jar --keystore=android.keystore --alias=androidkey --output=C:\Users\Frank\Downloads\Conversion\encrypted_key.zip --rsa-aes-encryption --encryption-key-path=C:\Users\Frank\Downloads\Conversion\encryption_public_key.pem --include-cert
Enter password for store 'android.keystore':

then I copy and pasted android and got:

Enter password for key 'androidkey':

And then I typed android (mistake?) and got:

Error: Unable to export or encrypt the private key
java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/NONE/OAEPWithSHA1AndMGF1Padding
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:577)
at com.google.wireless.android.vending.developer.signing.tools.extern.export.ExportEncryptedPrivateKeyTool.encryptPrivateKeyWithCkmRsaAesKeyWrapEncryption(ExportEncryptedPrivateKeyTool.java:284)
at com.google.wireless.android.vending.developer.signing.tools.extern.export.ExportEncryptedPrivateKeyTool.run(ExportEncryptedPrivateKeyTool.java:213)
at com.google.wireless.android.vending.developer.signing.tools.extern.export.ExportEncryptedPrivateKeyTool.main(ExportEncryptedPrivateKeyTool.java:165)

I then pasted:

keytool -list -v -keystore android.keystore

And got:

C:\Users\Frank\Downloads\Conversion>keytool -list -v -keystore android.keystore
'keytool' is not recognized as an internal or external command,
operable program or batch file.

I’ll go and get the keystore from my secure spot.

O.K.,

I went by to the original downloaded keystore from 2013. No good:

C:\Users\Frank\Downloads\Conversion> java -jar pepk.jar --keystore=android.keystore --alias=androidkey --output=C:\Users\Frank\Downloads\Conversion\encrypted_key.zip --rsa-aes-encryption --encryption-key-path=C:\Users\Frank\Downloads\Conversion\encryption_public_key.pem --include-cert
Enter password for store 'android.keystore':
Enter password for key 'androidkey':
Error: Unable to export or encrypt the private key
java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/NONE/OAEPWithSHA1AndMGF1Padding
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:577)
at com.google.wireless.android.vending.developer.signing.tools.extern.export.ExportEncryptedPrivateKeyTool.encryptPrivateKeyWithCkmRsaAesKeyWrapEncryption(ExportEncryptedPrivateKeyTool.java:284)
at com.google.wireless.android.vending.developer.signing.tools.extern.export.ExportEncryptedPrivateKeyTool.run(ExportEncryptedPrivateKeyTool.java:213)
at com.google.wireless.android.vending.developer.signing.tools.extern.export.ExportEncryptedPrivateKeyTool.main(ExportEncryptedPrivateKeyTool.java:165)

Running keytool -list -v -keystore android.keystore got me:

C:\Users\Frank\Downloads\Conversion> keytool -list -v -keystore android.keystore
'keytool' is not recognized as an internal or external command,
operable program or batch file.

Is it just hopeless at this point?

Just in case it’s pointful this is the folder I’m working in:

I asked Gemini for you
Taifun


That error is incredibly frustrating, especially when you are just trying to get your app uploaded to Google Play.

The core issue here is a mismatch between the Java version you are running and what the Play Encrypted Private Key (pepk.jar) tool expects.

Specifically, the error java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/NONE/OAEPWithSHA1AndMGF1Padding means your current Java installation is missing a specific cryptographic security provider (usually Bouncy Castle) that supports that exact type of encryption natively. This is a very common headache with newer versions of Java (like Java 17, 21, or newer) or certain minimal runtimes.
Here are the two easiest ways to fix this, ranked from quickest to most reliable.

Solution 1: Use the Java version bundled with Android Studio (Highly Recommended)

If you have Android Studio installed, it already includes a rock-solid, fully compatible Java runtime (JDK) that has all the required security providers built right in. Instead of using your system's global java command, point directly to Android Studio's Java.
Open your command prompt and run the command by explicitly pathing to the Android Studio JDK.
For Windows, the command will look something like this:

"C:\Program Files\Android\Android Studio\jbr\bin\java.exe" -jar pepk.jar --keystore=android.keystore --alias=androidkey --output=C:\Users\Frank\Downloads\Conversion\encrypted_key.zip --rsa-aes-encryption --encryption-key-path=C:\Users\Frank\Downloads\Conversion\encryption_public_key.pem --include-cert

Note: Depending on when you installed Android Studio, the folder inside might be named jre instead of jbr. If the command above says the path can't be found, check C:\Program Files\Android\Android Studio\ to see if you have a jre or jbr folder and adjust the path accordingly.

Solution 2: Downgrade your standalone Java to Java 11

If you aren't using Android Studio or prefer a global fix, the pepk.jar tool was built during the era where Java 11 was the standard. Newer Java versions tightened up security rules and removed or changed how some of these older encryption providers are loaded by default.

  1. Download and install OpenJDK 11 or Oracle JDK 11.
  2. Make sure your environment variables point to Java 11, or temporarily run it directly using its full path, similar to Solution 1:
"C:\Program Files\Java\jdk-11\bin\java.exe" -jar pepk.jar ...

Either of these paths will supply the missing RSA/NONE/OAEPWithSHA1AndMGF1Padding provider to the tool, and your encrypted_key.zip should generate without a hitch!

Again the answer from Gemini below
Taifun


This one is a classic Windows hurdle. The error 'keytool' is not recognized... just means Windows doesn't know where to look for the keytool program.
keytool isn't a default Windows command—it lives inside the bin (binary) folder of your Java installation. Because that folder isn't registered in your computer's system path (its "frequent destinations" list), Windows gives up.
Since you likely have Android Studio installed (or another Java version from trying to fix the previous issue), you can bypass this entirely by telling Windows exactly where the tool is hiding.
Here are the two easiest ways to run it:

Solution 1: Use the Android Studio copy (Quickest)

Just like with Java earlier, Android Studio bundles keytool right along with its Java runtime. You can run it by wrapping the full path in quotation marks:

"C:\Program Files\Android\Android Studio\jbr\bin\keytool.exe" -list -v -keystore android.keystore

(Note: If Windows complains that it can't find that path, check your C:\Program Files\Android\Android Studio folder. If you see a folder named jre instead of jbr, change jbr to jre in the command above.)

Solution 2: Use your system's standalone Java (If installed)

If you installed a standalone version of Java (like Java 11 or 17) to your machine earlier, it will be sitting in your main Program Files directory. You can run it from there like this:

"C:\Program Files\Java\jdk-11\bin\keytool.exe" -list -v -keystore android.keystore

(Be sure to swap out jdk-11 for whatever version folder name actually exists on your hard drive).
Once you run either of those commands, it will prompt you for your keystore password, and then print out all your certificate details (like your SHA-1 and SHA-256 fingerprints) right in the console.

That, if true (A.I. doesn’t have error checking), is increadibly frustrating.

Well, AI usually is confirming what it thinks you are feeling...

I would focus on the suggested solutions

Taifun

My app’s on sale now, so I can’t do anything until that ends. I will try it later.

Send me your (original) keystore via PM. I can check if...

O.K. Thank you. The result is:

I think I know what I did wrong. I’ll try again tomorrow. Tonight, I sleep!