Skip to main content
Back to Articles

Android Signing Keys Explained: Generate, Connect, and Use Them in Flutter, React Native, Expo, and Kotlin

April 30, 2026
7 min read
By Untouch Team

If Android signing feels confusing, this guide is for you.

By the end, you will understand:

  • What app signing key and upload key mean.
  • How to generate and protect keystore files.
  • How to connect signing with Google Play and Untouch.
  • How to set up signing in Flutter, React Native, Expo, and native Android/Kotlin.

This is beginner-first, but detailed enough for production use.

Simple Key Concepts (No Jargon)

Every Android release must be signed.

There are usually two keys in modern Play workflows:

  • App signing key
  • Upload key

Easy way to remember:

  • App signing key = final key Google Play uses for distribution.
  • Upload key = key you use to upload bundles to Play.

Why two keys:

  • Better security.
  • If upload key is lost, you can reset upload key without changing your app identity.

Which Signing Method Should You Use?

Untouch supports practical methods that cover most teams.

Method 1: Generate a new keystore in Untouch (easy path)

Use this when:

  • You are launching a new app.
  • You do not already have a production keystore.

In Untouch App Settings:

  • Open App > Settings.
  • Go to Signing setup.
  • Choose Custom Credentials.
  • Enter key alias, store password, key password.
  • Generate.
  • Download the generated .jks file and store it safely.

What Untouch gives you:

  • Generated keystore.
  • Fingerprints (SHA-1, SHA-256, MD5).
  • Reusable signing config for builds.

Method 2: Upload your existing keystore (migration path)

Use this when:

  • App already exists.
  • You already have a release keystore.

In Untouch App Settings:

  • Open App > Settings.
  • In Signing setup, choose Upload Existing Keystore.
  • Upload .jks or .keystore.
  • Provide keystore password, key alias, key password.

Important:

  • Alias and passwords must match the original keystore exactly.
  • Keep old and new environments aligned to avoid signature mismatch.

Method 3: Manage Play App Signing lifecycle

In Untouch:

  • Go to App > Play Store > Signing.
  • View Play App Signing enrollment status.
  • Prepare enrollment flow.
  • Copy fingerprints for API provider registration.

Use this for:

  • First-time Play enrollment checks.
  • Fingerprint verification.
  • Upload key instruction review.

Generate a Keystore Manually (If Needed)

If you want local control, generate keys with keytool.

Windows PowerShell example

keytool -genkeypair -v -storetype PKCS12 -keystore my-upload-key.keystore -alias my-key-alias -keyalg RSA -keysize 2048 -validity 10000

macOS/Linux example

keytool -genkey -v -keystore my-upload-key.keystore -alias my-key-alias -keyalg RSA -keysize 2048 -validity 10000

Notes:

  • -validity 10000 days is common and safe for long-lived apps.
  • Keep alias and both passwords documented in a secure password vault.

Export upload certificate (PEM) for Play workflows

keytool -export -rfc -keystore my-upload-key.keystore -alias my-key-alias -file upload_certificate.pem

You may need this when Play asks for upload certificate registration/reset.

Framework-by-Framework Setup

Flutter

Typical release command:

  • flutter build appbundle --release

Typical config flow:

  • Create android/key.properties with signing values.
  • Load this file in android/app/build.gradle.kts.
  • Set release signingConfig to your release config.

Why this matters:

  • Without this, Flutter may build unsigned or debug-signed output.

React Native

Typical release command:

  • npx react-native build-android --mode=release

Typical config flow:

  • Put signing vars in ~/.gradle/gradle.properties or project android/gradle.properties.
  • Add signingConfigs.release in android/app/build.gradle.
  • Attach release buildType to release signing config.

Common RN gotcha:

  • Keep release credentials out of Git.

Expo

Typical release command:

  • eas build -p android --profile production

Typical signing flow:

  • Manage credentials via eas credentials.
  • For first Play upload, accept Play App Signing flow in Play Console.
  • If key mismatch happens, export certificate from keystore and request key change/reset with Google support.

Expo reality check:

  • Expo can manage credentials for you, but you still need to understand upload key ownership and recovery.

Native Android / Kotlin (Gradle)

Typical release command:

  • ./gradlew bundleRelease

Typical setup options:

  • Android Studio: Build > Generate Signed Bundle/APK.
  • Or Gradle signingConfigs in module build file.

Critical detail:

  • Keep release signing credentials separate from debug signing.

Other Frameworks

If your Android output still goes through Gradle and produces AAB/APK, the same principles apply:

  • Keystore
  • Alias
  • Store/key passwords
  • Release signing config

Connect Signing to Google Play (Beginner Sequence)

Follow this exact order to avoid rework:

  1. Generate or import keystore.
  2. Confirm fingerprints.
  3. Build signed AAB.
  4. Set up Play App Signing in Play Console.
  5. Upload signed build to internal testing first.
  6. Promote to wider tracks later.

Recommended Untouch Sequence

  • App > Settings: configure package name and signing.
  • App > Play Store > Settings: connect publishing defaults.
  • App > Play Store > Upload: upload build.
  • App > Play Store > Signing: verify key status/fingerprints.

Security Rules You Should Always Follow

  • Never commit .jks files to repository.
  • Never commit key passwords to source control.
  • Use separate upload key and app signing key when possible.
  • Back up keystore in two secure locations.
  • Store alias/password metadata in a secure secret manager.
  • Restrict who can access signing credentials.

Backup Strategy (Simple and Effective)

Keep these 4 items backed up:

  • Keystore file (.jks or .keystore)
  • Key alias
  • Store password
  • Key password

Recommended storage pattern:

  • One encrypted vault copy.
  • One offline encrypted backup.

Common Signing Errors and Fixes

Error: Incorrect keystore password

Fix:

  • Re-enter exact store password.
  • Verify no hidden whitespace.

Error: Alias not found

Fix:

  • Use exact alias from keystore creation.
  • If unknown, inspect keystore aliases with keytool.

Error: Signature mismatch in Play upload

Fix:

  • You signed with wrong key compared to Play expected upload key.
  • Use correct upload key or request upload key reset.

Error: Build signed with debug key

Fix:

  • Check release signingConfig points to release keystore.
  • Rebuild release AAB.

Error: Version code unavailable

Fix:

  • Ensure uploaded AAB version code is valid/new for track.
  • Update app version and rebuild.

Error: Lost upload key

Fix:

  • Generate a new upload key.
  • Request upload key reset in Play Console as account owner/admin.

Play App Signing: Practical Notes

  • For most new apps, Play App Signing is default and recommended.
  • Google stores app signing key securely.
  • You keep upload key safe and use it for uploads.
  • Upload key reset does not change your app signing key identity.

API Provider Fingerprints (Firebase, Maps, Others)

You may need both certificate sets depending on provider:

  • Upload certificate fingerprints.
  • App signing certificate fingerprints.

In Untouch and Play Console signing pages, copy SHA-1/SHA-256 and register correctly with provider portals.

Full Pre-Release Checklist

  • Keystore exists and is backed up.
  • Alias/passwords tested successfully.
  • Release signing config enabled.
  • AAB builds correctly.
  • Play App Signing status confirmed.
  • Package name matches Play app.
  • Service account configured for automation.
  • Internal track upload tested.

Beginner FAQ

Do I need a new key for every release?

No. Keep one stable signing identity for app lifetime.

Can I change app signing key later?

Possible in specific Play-supported scenarios, but treat as advanced operation.

Is upload key the same as app signing key?

It can be, but using separate keys is more secure.

Can Untouch generate and also let me download keystore?

Yes. In generated-key flow, Untouch allows downloading generated .jks.

Which framework is easiest for signing setup?

For many teams:

  • Untouch generated key + framework preset is easiest.
  • Manual local setup gives more control but needs careful secret handling.

What if I publish to stores other than Google Play?

Plan your key strategy early. Some teams use one key strategy across stores, others keep separate distribution strategy.

Should I keep passwords in Gradle files?

No. Keep secrets outside source control using secure property files or secret management.

Is debug keystore okay for release?

No. Release uploads must use proper release/upload key.