Google Play

    Android Keystore Corrupted: How to Recover

    A damaged Android .jks keystore file being rejected by keytool, next to a clean copy restored from a CI secret store.

    A corrupted Android keystore usually cannot be repaired by editing the file, because a Java keystore is integrity-protected: keytool validates a keyed hash over the contents and rejects a damaged file with an error like keystore was tampered with, or password was incorrect. So do not spend time on hex-editor fixes; recover the original .jks from a backup, a CI secret, a password manager, or the machine that created it. If the keystore is genuinely gone and you use Play App Signing, you are not locked out: request an upload key reset in Play Console, because Google holds the app signing key. If you self-manage the signing key without Play App Signing and lose it, it cannot be reset.

    Short answer

    When your .jks or .keystore file is damaged and keytool refuses it, the fix is restoration, not repair. A corrupted keystore fails an integrity check that you cannot patch by hand, so the first move is to find an intact copy: your backups, your CI or CD secret store, a password manager, another machine that has the file, or git history if it was committed. If no copy exists and you are enrolled in Play App Signing, you can create a new upload key and have your account owner request an upload key reset, because Google holds and protects your app signing key. Per Android's app signing docs, a self-managed app signing key cannot be reset if you lose it.

    What a corrupted keystore actually means

    A corrupted keystore is the physical .jks or .keystore file being damaged at the byte level, which is different from losing the key or forgetting its password. The file is a binary Java KeyStore that holds your signing key and certificate, and it only works if its bytes are exactly intact. Damage happens in a handful of ordinary ways: a partial or interrupted write, a disk failure, a git merge that injected conflict markers into the binary, a text tool that rewrote line endings, or a broken base64 decode when the file is stored as a CI secret.

    The result is that the tools that read the keystore stop trusting it. keytool, jarsigner, apksigner, and the Gradle signing config all expect a valid keystore structure and a matching integrity value, so a damaged file produces a format or tamper error rather than signing your build. Recognizing that the problem is the file, not the password, matters, because it points you at restoration from a good copy rather than at password resets or key regeneration, which will not help a byte-damaged store.

    Can you fix a corrupted keystore with a hex editor?

    In almost all cases, no. A Java keystore is protected by a keyed integrity hash computed over its contents using the store password, so keytool verifies that hash every time it opens the file and refuses the keystore if the bytes no longer match. A hex editor lets you change bytes, but it cannot recompute the correct integrity value for you without the original intact contents, and it certainly cannot reconstruct damaged private-key material that is simply gone. So editing the file by hand generally moves you from one error to another rather than to a working key.

    There are narrow exceptions that are worth a quick check but not a long effort: if the damage is nothing more than extra bytes appended to the end of an otherwise complete file, or a wrapper like base64 that was not fully stripped, then removing the surplus can restore the original. That is not really repairing the keystore; it is undoing a transport mistake. Beyond that, treat hex-editing a corrupted keystore as a dead end, because the format is designed to reject tampering, and spend the time locating a clean copy instead.

    The errors you will see

    The error text tells you the file is unreadable, which is your signal to restore rather than retry. The table below maps common messages to what they mean and what to do.

    Error messageLikely causeAction
    keystore was tampered with, or password was incorrectIntegrity check failed on damaged bytesRestore a clean copy; do not hex-edit
    Invalid keystore formatStructure damaged or wrong file typeRestore the original .jks
    This is not a PKCS12 keystoreType mismatch or partial writeRestore; confirm store type
    DerInputStream length too big, or EOFExceptionTruncated or interrupted writeRestore from backup or CI secret

    Read the last column as one instruction: every one of these is a restore, because a keystore that fails to parse is not something you fix in place.

    The real recovery path: restore the original

    Restoration means finding any intact copy of the same keystore, since the signing key inside it is what has to match your published app. Check your local and cloud backups first, including Time Machine or a synced folder, then your secret manager, since many teams store the keystore and its passwords there. Check your CI or CD configuration, because the keystore is often held as a base64-encoded secret that decodes back to the original file. Ask other developers whose machines may still have it, and look at the machine that generated the key, where the first copy usually lives.

    If the keystore was committed to version control, which is not good practice but happens, it may still be recoverable from git history even after deletion. Once you have a candidate file, verify it before trusting it by listing its contents with keytool, using keytool -list -v -keystore your-file.jks, which both confirms the file parses and shows the certificate fingerprints. Matching that SHA-256 fingerprint against what Google Play expects for your app is how you know you have the right, intact key rather than a different one.

    Play App Signing: the reset path

    If no intact copy exists and you use Play App Signing, you are not locked out of your app, because the key you lost is only the upload key while Google holds the actual app signing key. Per Google, you create a new upload key in Android Studio, export its certificate to PEM format, and have your account owner request an upload key reset through the Play Console help form, uploading the new certificate when prompted. After the reset, you sign your uploads with the new upload key and Google continues to sign the delivered app with the unchanged app signing key, so your users receive normal updates.

    This is the reason enrolling in Play App Signing turns a lost or corrupted keystore from a catastrophe into a support request. The upload key is a credential for getting builds into Play, and it is replaceable; the app signing key is the identity your installed app depends on, and Google keeps it safe on its own infrastructure. So the practical answer to whether a reset is possible is yes for the upload key under Play App Signing, which is the situation most current apps are in.

    If you self-manage the signing key

    If you are not enrolled in Play App Signing and you manage the app signing key yourself, a lost or unrecoverable keystore is a genuinely different and worse situation. Per Android's documentation, an app signing key you manage yourself cannot be reset if you lose it, because there is no second copy anywhere and the key is what proves an update comes from you. Without it, you cannot sign an update that Play will accept for the existing app.

    In that case the only path forward is to publish a new app under a new package name with a new key, which means the old app's users do not receive it as an update and have to install the new listing. That is exactly the outcome Play App Signing exists to prevent, so if you are self-managing keys, the lesson from a corruption scare is to enroll in Play App Signing now, while you still have a working key, so the next incident is recoverable.

    A safe retry path for your pipeline

    Once you have a verified keystore, bring your signing pipeline back cleanly rather than forcing the failed build through. Restore the good keystore into your CI or CD secret store, taking care that the base64 encoding round-trips exactly, since that mistake corrupts many pipeline keystores. Re-run the signing step, then verify the output before you upload, using apksigner verify or jarsigner -verify on the signed artifact to confirm it is properly signed.

    Confirm the signature identity, not just that a signature exists. Compare the certificate fingerprint of your signed build against the fingerprint Play expects for the app, so you catch a wrong-key situation on your machine instead of at upload.

    Prevent the next corruption

    Working through these steps keeps a damaged keystore from becoming an emergency. The checklist below covers them.

    StepActionDone?
    Back up the keystoreKeep an offline copy plus a secret-manager copy[ ]
    Store passwords with itSave keystore and key passwords together securely[ ]
    Use a CI secret safelyStore as base64 and verify it decodes intact[ ]
    Never edit as textKeep the binary out of text tools and merges[ ]
    Verify fingerprintsCheck the SHA-256 fingerprint in your pipeline[ ]
    Enroll in Play App SigningSo a lost upload key is resettable[ ]

    The step teams skip most is enrolling in Play App Signing, which is the single change that makes a future lost or corrupted keystore recoverable.

    Where a scan fits

    While you are hardening how the keystore is stored, it is worth checking that signing secrets are not exposed elsewhere in the app or repo, since a keystore is only as safe as the places it is kept.

    A scanner like PTKD.com analyzes your build and flags issues such as signing credentials or keystores committed into the app, hardcoded secrets, and over-broad permissions by severity, mapped to OWASP MASVS. To be clear about the boundary: PTKD does not recover a corrupted keystore or reset your upload key. It helps you confirm that the signing material and other secrets are not sitting somewhere they can leak.

    What to take away

    • A corrupted keystore is a damaged file, not a lost password, and its integrity check means you generally cannot repair it by hand.
    • Hex-editor fixes do not work beyond undoing a transport mistake like stray appended bytes, so restore an intact copy instead.
    • Look for the original in backups, your CI secret store, a password manager, another machine, or git history, and verify it with keytool before trusting it.
    • If the file is truly gone and you use Play App Signing, create a new upload key and request an upload key reset, because Google holds the app signing key.
    • A self-managed app signing key cannot be reset if lost, so enroll in Play App Signing while your key still works, and a tool like PTKD.com helps confirm signing secrets are not exposed.
    • #android keystore
    • #code signing
    • #play app signing
    • #upload key
    • #ci cd

    Frequently asked questions

    Can I fix a corrupted keystore with a hex editor?
    Almost never. A Java keystore is protected by a keyed integrity hash computed over its contents with the store password, so keytool verifies that hash and refuses the file if the bytes no longer match. A hex editor cannot recompute the correct integrity value without the original intact contents, and it cannot rebuild damaged private-key material. The one narrow exception is undoing a transport mistake, such as removing extra bytes appended to an otherwise complete file or stripping a base64 wrapper. Otherwise, restore a clean copy instead of editing.
    How do I recover a corrupted .jks file?
    Restore an intact copy, since the signing key inside must match your published app. Check local and cloud backups, including Time Machine and synced folders, then your secret manager, your CI or CD secret store where the keystore is often held as a base64 secret, other developers' machines, and the machine that generated the key. If it was committed, git history may still have it. Verify any candidate with keytool -list -v -keystore your-file.jks and match the SHA-256 fingerprint against what Google Play expects before trusting it.
    Can I reset my key with Play App Signing?
    You can reset the upload key. With Play App Signing, Google holds and protects the app signing key while you sign uploads with an upload key, so if your keystore is lost or corrupted you are not locked out. Create a new upload key in Android Studio, export its certificate to PEM format, and have your account owner request an upload key reset through the Play Console help form, uploading the certificate when prompted. After the reset you sign with the new upload key, and Google keeps signing delivered updates with the unchanged app signing key.
    What if I do not use Play App Signing and lost my key?
    Then the situation is worse, because a self-managed app signing key cannot be reset if you lose it. There is no second copy, and the key is what proves an update comes from you, so without it you cannot sign an update Play will accept for the existing app. The only path forward is publishing a new app under a new package name with a new key, which existing users must install as a separate listing. Enroll in Play App Signing while you still have a working key to avoid this.
    Why does keytool say the keystore was tampered with?
    Because the integrity check failed. keytool computes and verifies a keyed hash over the keystore contents, and when the file's bytes are damaged, that hash no longer matches, so it reports keystore was tampered with, or password was incorrect. Despite the wording, on a corrupted file the cause is usually the damaged bytes rather than a wrong password. It is a signal that the file is unreadable and must be restored from a clean copy, not repaired in place or fixed with a different password.
    How do I prevent keystore corruption in CI?
    Store the keystore as a base64-encoded secret and verify it decodes back to the exact original before signing, since a broken base64 round-trip is a common cause of pipeline corruption. Keep an offline backup and a secret-manager copy with the keystore and key passwords together, never open or merge the binary in a text tool, and verify the signed build's certificate fingerprint in the pipeline so a wrong or damaged key is caught early. Enrolling in Play App Signing also makes a lost upload key resettable.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free