Still problems with creating the neccessary file for keystore reset (Lengthy mail)

Klaus major-k klaus at major-k.de
Tue Aug 27 08:06:22 EDT 2024


Hi all,

"The torture never stops" (F.Z.)

We are still struggling with creating the correct file for Google to reset the upload key,
and I get the feeling that Google is incompatible with Google!?

The very long story:
-------------------------------------------------------------------------
LC 10rc1, macOS 14.6.1 on a M2 Mac Mini

Android Studio Iguana | 2023.2.1 Patch 1
Build #AI-232.10300.40.2321.11567975, built on March 13, 2024
Runtime version: 17.0.9+0-17.0.9b1087.7-11185874 aarch64
VM: OpenJDK 64-Bit Server VM by JetBrains s.r.o.
macOS 14.6.1
GC: G1 Young Generation, G1 Old Generation
Memory: 2048M
Cores: 8
Metal Rendering is ON
Registry:
    ide.experimental.ui=true

Google support reponded to my question (Can I rest the upload keystore?) with the instructions quoted below.

I created a new keystore file with "Android Studio":

> 1.    • Follow the instructions in the Android Studio Help Center to generate a new key.
> It must be different from any previous keys, be a 2048-bit RSA key, and have 25-year validity.
> Alternatively, you can use the following command line to generate a new key:
>        • keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks

Worked out fine and Matthias Rebbe and I could use it with LC to sign my Android app without any problems!
-----------------------------------------
Keystore file -> android_upload.keystore
Password: XXX1

Key:
Alias: sehenkey
Password: XXX2
-----------------------------------------

> 2.    • Export the certificate for that key to PEM format:
>        • keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks

Created the PEM file successfully -> upload_certificate.pem

> 3.    • Once you have generated a PEM file please follow the steps below:
>        • Go to Setup > App integrity > App Signing.
>        • Request Upload key reset.
>        • Give a reason why you’re requesting a key reset.
>        • Enter PEM file.
>        • Click Request.

Google does not accept the above mentioned PEM file (BIG fun, thank you support) and shows a JAVA terminal
command that would output a ZIPped PEM file to upload to Google. 

See a screenshot here: <https://major-k.de/java_terminal.png>
(Strangely Matthias Rebbe saw a completely differenet command in HIS account on the app signing page!?)

And also let me download a JAR file "pepk.jar" which obviously does the actual work.


Matthias was so kind to check the terminal stuff for me with a higher JAVA version (jdk 20), so I could avoid the SDK "dance" :-)
The script with all placeholder replaced with my data, maybe this is not completely correct?
------------------------------------------------------------------------------------
 java -jar pepk.jar --keystore=android_upload.keystore --alias=sehenkey --output=output.zip signing-keystore=android_upload.keystore --signing-key-alias=upload-key-alias --rsa-aes -encryption --encryption-key-path=upload_certificate.pem
------------------------------------------------------------------------------------

But here is what he got:
------------------------------------------------------------------------------------
Error: Unable to parse the input: [--keystore=android_upload.keystore, --alias=sehenkey, --output=output.zip, signing-keystore=android_upload.keystore, --signing-key-alias=upload-key-alias, --rsa-aes, -encryption, --encryption-key-path=upload_certificate.pem]
java.lang.IllegalArgumentException: Invalid argument: signing-keystore=android_upload.keystore
at com.google.wireless.android.vending.developer.signing.tools.extern.export.Utils.processArgs(Utils.java:32)
at com.google.wireless.android.vending.developer.signing.tools.extern.export.ExportEncryptedPrivateKeyTool.main(ExportEncryptedPrivateKeyTool.java:110)
USAGE:
       java -jar pepk.jar
         --keystore <release_keystore>
         --alias <key_alias>
         --output=<output_file>
         (--rsa-aes-encryption --encryption-key-path=</path/to/encryption_public_key.pem> | --encryptionkey=<encryption_key_hex>)
         [--signing-keystore <keystore> [--signing-key-alias=<alias>]]
         [--include-cert]

pepk (Play Encrypt Private Key) is a tool for exporting private keys from a
Java Keystore and encrypting them for transfer to Google Play as part of
enrolling in App Signing by Google Play.


        REQUIRED FLAGS

--keystore            Path to the keystore containing the private key to export.

--alias               Alias of the private key in the keystore.

--output              File in which to output the encrypted private key.

        OPTIONAL FLAGS

--keystore-pass       Password for the keystore. If not set, will be prompted on
                      the command line.

--key-pass            Password for the key inside the keystore. If not set, the
                      same password as the keystore will be used, or if none was
                      set, it will be prompted on the command line.

--signing-keystore    Path to the keystore containing the private key that will
                      be used for signing the exported encrypted private key.

--signing-key-alias   Alias of the private key used for signing in the
                      signing Keystore. Must be specified if --signing-keystore
                      flag is set.

--rsa-aes-encryption  Use RSA AES Key Wrap encryption for encrypting the
                      private key.

--encryption-key-path Path to the PEM-encoded public key to be used for
                      encrypting the private key. Must be specified if
                      --rsa-aes-encryption is set.

--encryptionkey       Public key to encrypt the private key with. This will be
                      the hex encoded bytes of the public key. The public key
                      is a 4-byte identity followed by a 64-byte P256 point.
                      Must be specified if --rsa-aes-encryption is not set.

--include-cert        Include the public certificate to be exported along with
                      the encrypted private key.

        OTHER OPTIONS

--help                Show this usage page and exit.

--license             Show the license for the tool and exit.
------------------------------------------------------------------------------------
So we got stuck!? 
Any insight highly appreciated! 
Also off-list if neccessary.

Thanks a lot in advance!


Best

Klaus
--
Klaus Major
https://www.major-k.de
https://www.major-k.de/bass
klaus at major-k.de




More information about the use-livecode mailing list