How to generate 11 char hash key for Sms Retriever with Google App signing

Question

I had generated the 11 char hash using the AppSignatureHelper class. But after uploading the apk to play store, they hash doesn't work anymore. And I found out that Play replaces the key with another one which is why the hash gets changed as well. Now I'm having trouble getting the 11 char hash key.

I don't know how to use the commands given by Google. I found this command from here

keytool -exportcert -alias MyAndroidKey -keystore MyProductionKeys.keystore | xxd -p | tr -d "[:space:]" | echo -n com.example.myapp `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

Since, Play App signing is enabled for my app, I'll have to use this command,

keytool -exportcert -keystore MyProductionKeys.keystore | xxd -p | tr -d "[:space:]" | echo -n com.example.myapp `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

I've replaced keytool with its path from the JDK's bin folder but then it was saying xxd was not recognized so I downloaded it from a website now it's saying tr is not recognized, I guess it'll say that for cut as well.

Please pardon me if it seems too noob of me asking it, but how can I resolve this?

UPDATE: I've tried the second command from above on a linux machine, the command worked and gave me 11 character hash but still the SMS Retriever is not working.

SOLUTION: With the help of Nick Fortescue's answer, I downloaded the DER formatted file. Then converted it to a .jks file using the following command,

keytool -importcert -alias myalias -file deployment_cert.der -keystore certificate.jks -storepass mypassword

Then performed the first command from above on certificate.jks and it worked!

Answer 1

Here is the complete step by step guide .

1. Go to play console -> open app -> Release management -> App Signing -> Download Certificate . Like in below screen shot

This will give you deployment_cert.der file

2. Convert the deployment_cert.der file to a .jks file

use below command

keytool -importcert -alias YOUR_ALIAS -file deployment_cert.der -keystore certificate.jks -storepass YOUR_PASSWORD

Replace YOUR_ALIAS,YOUR_PASSWORD with yours which used in keystore . In place of deployment_cert.der use complete path if required

After entering this command it will ask

Trust this certificate? [no]: yes

type yes and click enter . It will show message

Certificate was added to keystore

This will generate a new file certificate.jks

3. Now in terminal enter command

   keytool -exportcert -alias YOUR_ALIAS -keystore certificate.jks | xxd -p | tr -d "[:space:]" | echo -n YOUR_PACKAGE `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

Replace YOUR_ALIAS,YOUR_PACKAGE with yours which used in keystore,project . In place of certificate.jks use complete path if required

it will ask for password

Enter keystore password: mypassword

enter your password and you will get the hash .

EDIT For MacOS users:

If you're using MacOS you can install sha256sum by installing coreutils like this:

brew install coreutils

Or you can use shasum -a 256 instead of sha256sum like this:

keytool -exportcert -alias YOUR_ALIAS -keystore certificate.jks | xxd -p | tr -d "[:space:]" | echo -n YOUR_PACKAGE `cat` | shasum -a 256 | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

Credits to Abhinav Gupta and Op of this question Farhan Farooqui and above answer from Nick Fortescue

Answer 2

In the help documents for Google Play App Signing it has a section "New Apps". Step 4 in this section is:

Step 4: Register your app signing key with API providers If your app uses any API, you will usually need to register the certificate of the key Google signs your app with for authentication purposes. This is usually done through the fingerprint of the certificate.

To find the certificate of the key Google uses to re-sign your APK for delivery:

1. Sign in to your Play Console.
   2. Select an app.
   3. On the left menu, click Release management > App signing.
   4. From this page, you can copy the most common fingerprints (MD5, SHA-1 and SHA-256) of your app signing certificate. If the API provider requires a different type of fingerprint, you can also download the original certificate in DER format and run it through the transformation tools that the API provider requires.

Download the original certificate in DER format and then use your command on that certificate.

Answer 3

As default bash commands were not working for me and I needed to generate hashes for both local keystore and Google Play certificate, I wrote my own Ruby script for that: https://github.com/michalbrz/sms-retriever-hash-generator/blob/master/google_play_sign.rb

Then generating hash with Google Play signing is just:

ruby google_play_sign.rb --package com.your.app --google-play-key deployment_key.der

where deployment_key.der is certificate downloaded from Google Play as in Nick's response.

Under the hood it transforms Google Play cert into keystore and basically does what other suggested bash commands do, but wraps it in something easier to use.