FixPedia
Android

Creating an Android Keystore: Step-by-Step APK Signing Guide

This guide explains why a keystore is essential and how to securely generate one via the command line. You'll get a ready-to-use signing file and learn how to configure it in Android Studio for release builds.

Updated at April 5, 2026
10-15 min
Medium
FixPedia Team
Применимо к:Android Studio 2023.1+JDK 8+Google Play Console

Introduction / Why You Need This

A keystore is a digital signature that verifies your app's authorship and guarantees code integrity. App stores, including Google Play, require every release build to be signed with the same key. If you attempt to upload an update signed with a different certificate, the publication will be rejected, and users will have to reinstall the app from scratch.

By the end of this guide, you'll have a ready-to-use .jks file properly configured for signing, along with a clear understanding of how to store it securely and integrate it into your build process.

Prerequisites / Preparation

Before you begin, ensure the following baseline conditions are met:

  • JDK 8 or newer installed (the keytool utility is included)
  • Terminal access (Command Prompt, PowerShell, or Bash)
  • A password manager for securely storing credentials
  • A dedicated directory with restricted access (preferably outside your project's root folder)

Step 1: Open the Terminal and Prepare the Directory

Launch your terminal and create a dedicated folder for your keys. Storing them alongside your source code or in public repositories is strictly prohibited.

mkdir -p ~/android_keys
cd ~/android_keys

💡 Tip: If you're on Windows, use mkdir android_keys and cd android_keys. You can place this directory on a separate drive or within an encrypted container.

Step 2: Generate the Key Using keytool

Run the following command to generate a key pair. The parameters below align with modern Google Play security standards.

keytool -genkeypair -v \
  -keystore my_app_release.jks \
  -keyalg RSA \
  -keysize 2048 \
  -validity 10000 \
  -alias release_alias

What the command does:

  • -genkeypair: generates a public/private key pair
  • -keystore: specifies the keystore filename
  • -keyalg and -keysize: uses the RSA algorithm with a 2048-bit key length (an optimal balance of security and performance)
  • -validity 10000: sets the validity period to ~27 years
  • -alias: assigns a unique name to the key within the file (remember this value)

Step 3: Fill in Metadata and Set Passwords

After running the command, the terminal will prompt you for information interactively. Provide the details in order:

  1. Enter the keystore password and confirm it.
  2. Provide your first and last name, organizational unit, organization, city, and country (you can leave fields blank by pressing Enter, but filling them out is recommended for corporate projects).
  3. Confirm the generated DN (Distinguished Name) string.
  4. Enter the password for release_alias. You can use the same password as the keystore by pressing Enter.

⚠️ Important: Passwords cannot be recovered. Save them immediately in a password manager. Characters will not be displayed on screen as you type—this is normal.

Step 4: Back Up the File

Once generation completes successfully, my_app_release.jks will appear in your directory. Create at least two backups:

  • An encrypted archive on an external drive
  • A cloud backup protected with two-factor authentication

Verify the file's integrity:

ls -la my_app_release.jks
  1. Open Android Studio.
  2. Navigate to Build → Generate Signed Bundle / APK.
  3. In the Key store path field, specify the path to my_app_release.jks.
  4. Enter the Key store password, Key alias, and Key password.
  5. Click Next, select the release build configuration, and complete the build.

For automation, add these credentials to your app module's build.gradle file using environment variables or a keystore.properties file to prevent the keys from being committed to version control.

Verifying the Result

Verify that the signing file is valid and contains the correct information:

keytool -list -v -keystore my_app_release.jks

In the output, locate the Entry type: PrivateKeyEntry line. Check the validity period (Valid from / Valid until) and ensure the Alias name matches what you specified during creation. If the command runs without errors and displays the details, the file is ready for use in CI/CD pipelines or manual builds.

Troubleshooting

  • keytool: command not found or 'keytool' is not recognized — the utility is not in your system PATH. Provide the full path to the JDK executable (e.g., C:\Program Files\Java\jdk-17\bin\keytool.exe) or update your environment variables.
  • java.security.InvalidKeyException: Illegal key size or default parameters — your JDK version is outdated or missing the JCE Unlimited Strength policy. Upgrade to JDK 8u161+ or 11+.
  • java.io.IOException: Keystore was tampered with, or password was incorrect — check your keyboard layout, disable auto-correction, and ensure Caps Lock is off. When typing in the terminal, paste the password directly from your password manager.
  • Validity too short — Google Play rejects keys with a validity period of less than 25 years. Regenerate the keystore with the -validity 10000 flag or higher.

F.A.Q.

What happens if I lose my keystore file?
Can I use a single keystore for multiple apps?
What validity period should I choose for the key?

Hints

Open the terminal and prepare the directory
Generate the key using keytool
Fill in metadata and set passwords
Back up the file
Link the keystore to your project

Did this article help you solve the problem?

FixPedia

Free encyclopedia for fixing errors. Step-by-step guides for Windows, Linux, macOS and more.

© 2026 FixPedia. All materials are available for free.

Made with for the community