"Your Android App Bundle uses an upload certificate with a key that is too weak."

Question

I got the following message in the Google Play Developer Console when I was trying to upload my app bundle after creating it using Android Studio Canary:

Your Android App Bundle uses an upload certificate with a key that is too weak.

I couldn't find any documentation about that. What is considered "weak" certificate?

Answer 1

Use SHA256withRSA because sha1 is the old certificate

$ keytool -genkey -v -keystore signed.keystore -alias name_app -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 10000

Then check the fingerprint

keytool -list -alias name_app -keystore signed.keystore

Superb. Now you get the standard certificate without any warnings

Answer 2

I also found the same error message within the google play console, when first uploading a new app signed with an existing keystore key.

To try and understand why my key was insecue I found the requirements from google for a signing key. Key requirements

Google ask that the key:

• Must be an RSA key that's 2048 bits or more.
• DSA, EC and RSA keys that are less than 2048 bits aren’t supported.

It is possible to check this using the program keytool. Using keytool

• keytool -list -alias <your-key-name> -keystore <path-to-production-keystore>

After I did this, I got an error to say my jkskey was considered a security risk and I could see that the certificate was only 1024-bit.

The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
The certificate uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore x.keystore -destkeystore x.keystore -deststoretype pkcs12".

I then did two things:

• Updated the keystore using the recommendated function in the warning message.
• Added a new alias within android studio.

Note: If you perform the jks update and keep the src and dest the same, it will backup the old key as well.

Migrated "x.keystore" to PKCS12. The JKS keystore is backed up as "x.keystore.old".

Answer 3

I'm using Unity to build my game. I had that exact same problem. Here's how I solved it:

• Delete the Draft in Google console

• Build an APK with my upload key

• Upload the APK to Google console

• Build the AAB with that upload key

• Now upload the AAB file, and it magically works

When it comes to Android, I know absolutely nothing what I'm doing. I tried the above and it worked for me, so I share, hope it'll work for you too :D