TL;DR: If Play App Signing is enabled (recommended), keep your upload keystore and its credentials. If it’s not enabled, keep your app signing keystore and its credentials.
When Play App Signing is enabled
Keep (must-have)
upload-keystore.jks— the upload key used to sign AABs you upload to Play.- Credentials — store password, key password, key alias.
Optional (nice-to-have)
upload_certificate.pem— public cert of the upload key (derivable from the keystore).
Delete after migration (safe)
encrypted_private_key.pepk— one-time export for enabling Play App Signing.encryption_public_key.pem— Google’s PEPK public key.pepk.jar— export tool.
When Play App Signing is not enabled (you manage signing yourself)
Keep (must-have)
app-signing.keystore(name may vary) — the final signing key used to sign releases.- Credentials — store password, key password, key alias.
Optional
certificate.pem— public cert of your app-signing key.
Not needed
- PEPK files and
pepk.jar(they’re for Play App Signing migration).
Optional: Put your upload keystore into HashiCorp Vault (KV v2)
If you use Play App Signing, the upload keystore is your only long-term signing secret. You can store it (and its credentials) centrally in Vault.
Store the keystore (with credentials)
vault kv put secret/jenkins/mobile/app/com.maksonlee.bluetoothfinder \
upload_jks_b64="$(base64 -w0 bluetoothfinder-upload.jks)" \
store_password='******' \
key_password='******' \
key_alias='upload'
Did this guide save you time?
Support this site