Keystore SHA1 different from cert.rsa SHA1 from APK

Question

I have an android app (and its production keystore) that was first created with Adobe Air. Long time ago the company switched to the regular Android SDK to develop the app but as the app was already in production, the keystore we use is still the same one (created then by Adobe Air).

I used keytool to extract the SHA1 for Google Places API, I got something along those lines:

Alias name: <alias_name>
Creation date: Jan 11, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=<company_name>, OU=, O=, C=US
Issuer: CN=<company_name>, OU=, O=, C=US
Serial number: <lotsofnumbers>
Valid from: Mon Mar 28 14:08:17 IST 2011 until: Sat Mar 29 14:08:17 IDT 2036
Certificate fingerprints:
     MD5:  ..:8D:F7
     SHA1: ..:E6:69
     SHA256: ..:38:9A
     Signature algorithm name: SHA1withRSA
     Version: 3

Extensions: 

#1: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  codeSigning
]

This SHA1 (finishing by E6:69) never worked in Google Places API so I checked what was the CERT.RSA the apk contained and it looked almost the same except the Certificate fingerprints:

Valid from: Mon Mar 28 14:08:17 IST 2011 until: Sat Mar 29 14:08:17 IDT 2036
Certificate fingerprints:
     MD5:  ..:E1:30
     SHA1: ..:72:74
     SHA256: ..:9D:6D
     Signature algorithm name: SHA1withRSA
     Version: 3

Extensions: 

#1: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  codeSigning
]

This SHA1 (finishing by 72:74) worked perfectly and I finally managed to use the Google Places API in production. But I don't understand why those two certificate fingerprints are different.

I am 1000% sure it is the same keystore, so how is this possible?

When I look at the android debug key the info is structured the same way but the Extensions are different:

Alias name: androiddebugkey
Creation date: Oct 26, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Android Debug, O=Android, C=US
Issuer: CN=Android Debug, O=Android, C=US
Serial number: 3bddeb55
Valid from: Sun Oct 26 21:03:56 IST 2014 until: Tue Oct 18 22:03:56 IDT 2044
Certificate fingerprints:
     MD5:  ..:01:17
     SHA1: ..:00:77
     SHA256: ..:32:93
     Signature algorithm name: SHA256withRSA
     Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: <weird hexa number and characters>
0010: <weird hexa number and characters>
]
]

To summarise my questions:

1. How is this possible the SHA1 do not match?
2. Could it be the Extensions difference?
3. How can I use keytool (or other tool) to show me the right SHA1 then?
4. Can I get rid of this Code Signing Extension to go back to a "normal android keystore" ?

Answer 1

How is this possible the SHA1 do not match?

The SHA-1 certificate fingerprint is defined by your Keystore, probably you signed your app with another Keystore or your Keystore was modified or was created again, i have experienced this by myself, with my debug Keystore.

How can I use keytool (or other tool) to show me the right SHA1 then?

Remember when you create a Keystore (that contains an unique SHA-1 Certificate) to sign apps for production, you must keep this Keystore in a safe place, and it must be used to sign you apps for the Google Playstore

If your SHA-1 (finishing by E6:69) never worked in Google Places API, probably the SHA-1 certificate fingerprint is not registered in https://console.developers.google.com/.

For example for Google Places API i need to register my app with the SHA-1 certificate of my debug keystore (generally located in C:\Users\[USER]\.android\debug.keystore) and with the SHA-1 certificate of my production keystore.

Go to your Google Developer Console https://console.developers.google.com/apis There you can define multiple SHA-1 related to your app package name, for example you can define one for your Debug Keystore and another for your Production Keystore.

I can bet that you signed with different keystores because they have diferent creation dates:

Creation date: Jan 11, 2015
Creation date: Oct 26, 2014

Answer 2

Using android studio you can get the SHA1 key in the following way

Goto Gradle tab at right side of the studio then

Click projectname-> :app-> Tasks-> android-> signingReport(double click)

This will print SHA1 and MD5 key on RUN console

Answer 3

There will be 2 keystore. debug and release. you are using debug key i think.

If you were using release. Check the apikey is correct in both the debug and release xmls. because normally you will not see the release google xml.

So you created correct Api key but you were not put it in the release xml file.