googleplay-key-en

Fixing Google Play Signing Key Errors

How to Fix Build Errors Saying “Signature Key Mismatch” (Flutter/MacOS)

Error Message:
Your Android App Bundle is signed with the wrong key.
Please sign your App Bundle with the correct signing key and try again.
The App Bundle must be signed with the certificate that has the fingerprint:
SHA1: 40:55:7C:… (example)“
However, the certificate used to sign the uploaded App Bundle has the fingerprint:
SHA1: F9:C9:6A:…(example)”

Fixing Google Play Signing Key Errors

The cause is that the “app signing key” previously registered in the Google Play Console differs from the key used in this build.
Troubleshoot and fix in the following order:

  1. Verify which key is currently used for signing
  2. Locate and use the previously used “correct key”
  3. Action if the correct signing key cannot be found (reset upload key)

1. Verify the current signing key

First, verify which key signed the built .aab file.

keytool -printcert -jarfile build/app/outputs/bundle/release/app-release.aab | grep -i SHA1

For Windows (PowerShell)

keytool -printcert -jarfile build\app\outputs\bundle\release\app-release.aab | Select-String SHA1

→ The fingerprint shown in the error (e.g., F9:C9:6A:…) should appear here.
This is the signing key you are currently using.

2. Locate the previous signing key

2-1. Search for the keystore (signing key) in use

Google Play Console requires the fingerprint 40:55:7C:…(example).
If you don’t know which keystore you used, perform the following search:

find ~ -name “*.jks”
find ~ -name “*.keystore”

For Windows (PowerShell)

Get-ChildItem -Path $HOME -Recurse -Include *.jks,*.keystore

You may find files like these:

/Users/you/.android/debug.keystore
/Users/you/AndroidStudioProjects/.../my-release-key.keystore
/Users/you/AndroidStudioProjects/keystores/upload-keystore.jks

2-2. Verify the alias and SHA-1 for each keystore

Execute the following for each found keystore:
Command example (for alias: key0)

keytool -list -v -keystore /path/to/keystore.jks -alias key0

For Windows

keytool -list -v -keystore C:\path\to\keystore.jks -alias key0

If the alias is unknown, try common names sequentially:

  • key0
  • upload
  • release
  • my-key-alias
  • androiddebugkey (for debug.keystore)

🔑 What is an alias?

  • A keystore (.jks file) contains “keys”.
  • An alias is the name assigned to distinguish these keys.
  • While a keystore can hold multiple keys, it typically contains and uses only one key.

After entering the password, the SHA-1 hash will be displayed. Verify that it matches the format required by the Play Console: “SHA1: 40:55:7C:… (example)”.

🔑 Password (storePassword)

  • This is the password you set when creating the keystore (.jks file).
  • If you don’t know the password and can’t open the keystore, proceed to 4. Reset Upload Key, similar to when the signing key cannot be found.

3. If the Correct Key is Found

3-1. Modify to Specify the Identified Keystore/Alias

If you have identified a keystore/alias matching the SHA1 required by the Play Console, verify the signingConfig settings in android/app/build.gradle.

signingConfigs {
    release {
        storeFile file(keystoreProperties[‘storeFile’])
        storePassword keystoreProperties[‘storePassword’]
        keyAlias keystoreProperties[‘keyAlias’]
        keyPassword keystoreProperties[‘keyPassword’]
    }
}
  • The actual path to the keystore is specified in android/key.properties (create it if it doesn’t exist).
  • Modify it to specify the identified keystore.
  • Specify the extension and path using the absolute path.
storeFile=/Users/you/AndroidStudioProjects/keystores/upload-keystore.jks
storePassword=*****
keyAlias=upload
keyPassword=*****

3-2 Rebuild & Verify

Rebuild → Verify the signature’s SHA-1 from the .aab file

flutter clean
flutter pub get
flutter build appbundle --release

keytool -printcert -jarfile build/app/outputs/bundle/release/app-release.aab | grep -i SHA1

→ Verify it matches the SHA1 requested by Play Console before uploading

4. If cannot find the correct key → Reset the upload key

If you cannot find the correct key, and Play App Signing is enabled (enabled by default),
Google holds the production key used for distribution, and you can only reset the “upload key”.

4-1. Create a new keystore

keytool -genkeypair \
 -alias upload \
 -keyalg RSA \
 -keysize 2048 \
 -validity 10000 \
 -keystore upload-keystore.jks
  • Use the same memorable value for both passwords (store/key)
  • The entered “Organization Name/Country Name” can be anything (Cannot be changed later)

Example:

/Users/you/AndroidStudioProjects/keystores/upload-keystore.jks

4-2. Create the new upload key certificate (.pem)

keytool -export -rfc \
 -keystore upload-keystore.jks \
 -alias upload \
 -file upload_certificate.pem

4-3. Register the Key in Google Play Console

  1. Target app → “App Integrity” → “App Signing”
  2. In the “Upload Key” section, select “Reset/Replace Upload Key”
  3. Upload and register upload_certificate.pem
  4. It may take several hours to take effect.
  5. After it takes effect, you can upload the .aab signed with new-upload.jks.

4-4. Switch Flutter’s signing settings to the new key

Modify android/key.properties to match the new key:

storeFile=/Users/you/AndroidStudioProjects/keystores/upload-keystore.jks
storePassword=*****
keyAlias=upload
keyPassword=*****

4-5. Rebuild the .aab with the new key and verify the fingerprint

flutter clean
flutter pub get
flutter build appbundle --release

Verify the generated .aab has the new SHA-1:

keytool -printcert -jarfile build/app/outputs/bundle/release/app-release.aab | grep -i SHA1

→ If it matches the SHA-1 registered as the “Upload Key” in Google Play Console, it’s OK.

Fixing Google Play Signing Key Errors

Related Articles

Best Practices for Version Management in Flutter

How to test when releasing an app on Google Play