Android

    Android Keystore Password Lost? Recovery Steps

    An intact Android .jks keystore whose forgotten password is found in a gradle.properties file and a CI secret store.

    If you lost the password to an Android keystore but still have the .jks file, look for the password before you attack the file, because the signing config needs it and it is very often written down in your gradle.properties or keystore.properties, your CI secret variables, a password manager, or your build scripts. Brute-forcing your own keystore is legitimate but only realistic if the password was weak or you remember most of it, since a long random password is computationally infeasible to crack. If the password is truly gone and you use Play App Signing, you can reset the upload key, because Google holds the app signing key. A self-managed app signing key whose password is lost cannot be reset.

    Short answer

    A lost keystore password is more recoverable than a lost keystore file, because the key material is intact and you only need the passphrase that opens it. Start by searching every place the password could be stored, since Android signing configs need it at build time and most projects keep it in a properties file or a secret store. If that fails, an offline dictionary or mask attack on your own keystore can work when the password was weak or partly remembered, but not against a strong random one. If it is unrecoverable and you use Play App Signing, reset the upload key. Per Android's app signing docs, a self-managed app signing key cannot be reset if you lose access to it.

    Lost password versus a lost or corrupted file

    A lost password is a different problem from a missing or damaged keystore, and it is usually less severe. The .jks file still holds your signing key and certificate intact; what is missing is the secret that opens it. So none of the file-recovery work applies here, because there is nothing wrong with the file. The task is to find or recover the passphrase, and if you cannot, to fall back to the same reset path a lost file would need.

    It also helps to know that a keystore has two kinds of password. There is the store password that protects the keystore as a whole, and each key inside has its own key password. In many Android setups the two are set to the same value, but not always, so a tool that accepts the store password can still fail at signing if the key password differs. Keeping this distinction in mind matters, because half of these incidents are really a case of knowing one password and trying it in the wrong place.

    Where the password is probably written down

    Because a build cannot sign without the password, most projects record it somewhere the build can read, which is the first place to look. Check your gradle.properties for storePassword and keyPassword entries, a separate keystore.properties or signing.properties file, and the signingConfig block or build scripts that reference them. Look in your local.properties and any developer setup notes. The password for the release key is required by the signing config, so it is frequently sitting in one of these files on the machine that builds releases.

    Then check the places a team stores secrets deliberately. Your CI or CD system almost certainly holds the keystore password as a secret variable or masked environment value, since automated builds sign without a human typing it. A shared password manager or vault is the next candidate, followed by Fastlane configuration, and even your shell history if a build command once included it. Between the build-config files and the secret store, the password is recovered far more often than it is truly lost, so exhaust these before considering anything harder.

    Brute force options

    Because it is your own keystore, running an offline password attack against it is a legitimate recovery step, not an intrusion, and the outcome depends entirely on how strong the password was. The approach is to convert the keystore into a crackable hash and run a dictionary or mask attack: John the Ripper provides a keystore-to-hash helper for Java keystores, and hashcat supports the Java KeyStore format directly, so both can test candidate passwords offline against your file.

    The realistic part is the constraint. If the password was a weak word, a short pattern, or something you remember most of, a targeted mask attack that fixes the parts you recall and varies only the rest can find it quickly. If it was a long random string from a generator, it is computationally infeasible and no tool will change that, so brute force is a real option only in the weak or partially-remembered case. Feed the attack everything you know, such as length, likely words, and character set, and treat it as a possibility rather than a guarantee.

    The errors you will see

    The exact error tells you whether the wrong password is the store password or the key password, which narrows where to look. The table below maps common messages to cause and next step.

    Error messageLikely causeAction
    keystore was tampered with, or password was incorrectWrong store password (file is intact)Try other known passwords; search config
    Cannot recover keyWrong key password, right store passwordTry the store password as the key password
    Given final block not properly paddedWrong key password during signingRecover the key password specifically
    Keystore password was incorrect (Gradle)Config has an old or wrong passwordFix storePassword in gradle.properties

    Read the middle column as the split between the two passwords: a store-password error opens the file, while a key-password error blocks the actual signing.

    Play App Signing reset

    If you cannot recover the password and you are enrolled in Play App Signing, you are not locked out, because the key you can no longer use is only the upload key while Google holds the app signing key. Create a new upload key in a fresh keystore, this time recording its password in your secret store, export the new certificate to PEM format, and have your account owner request an upload key reset through the Play Console help form. After the reset, you sign uploads with the new upload key and Google keeps signing delivered updates with the unchanged app signing key.

    This is why Play App Signing turns a forgotten password from a dead end into a support request. The upload key is a replaceable credential for getting builds into Play, so losing access to it, whether the file is gone or the password is, is recoverable. The app signing key that your installed app depends on stays safe with Google, so your users continue to receive updates without reinstalling.

    If you self-manage the key

    If you are not enrolled in Play App Signing and you manage the app signing key yourself, a lost password is as serious as a lost key, because without the password you cannot use the key to sign an update. Per Android's documentation, a self-managed app signing key cannot be reset if you lose access to it, and a password you cannot recover is exactly that loss. There is no second copy and no reset path outside Play App Signing.

    In that case, if recovery and brute force both fail, the only way forward is to publish a new app under a new package name with a new key, which existing users must install as a separate listing rather than an update. Because that outcome is so costly, the takeaway for self-managed keys is to enroll in Play App Signing while you still have a working password, so a future lapse becomes an upload key reset instead of a lost app.

    A safe retry path for your pipeline

    Once you have recovered the password or reset the upload key, restore your pipeline in a way that prevents a repeat. Put the password into your CI or CD secret store and a password manager immediately, alongside the keystore backup, so the next build does not depend on anyone's memory. Then re-run the signing step and verify the result before uploading, using apksigner verify on the signed artifact to confirm it is properly signed.

    Confirm the identity as well as the signature. Compare the certificate fingerprint of the signed build against the fingerprint Google Play expects for the app, so a wrong key or a mixed-up password is caught on your machine rather than at upload.

    Prevent losing it again

    Working through these steps keeps a forgotten password from blocking a release. The checklist below covers them.

    StepActionDone?
    Store the password in a vaultKeep it in a password manager or secret store[ ]
    Keep it with the keystore backupBack up the file and its passwords together[ ]
    Use CI secretsHold the password as a masked CI variable[ ]
    Avoid throwaway passwordsDo not set a release key password you will forget[ ]
    Document the store and key passwordsNote whether they differ[ ]
    Enroll in Play App SigningSo a lost upload key or password is resettable[ ]

    The step teams skip most is enrolling in Play App Signing, which is what makes a future forgotten password a reset rather than a rebuild.

    Where a scan fits

    While you are moving the password into a proper secret store, it is worth checking that it and other signing secrets are not exposed in the app or repository, since a password in a committed file is both how you recover it and how it leaks.

    A scanner like PTKD.com analyzes your build and flags issues such as signing passwords or keystores committed into the repo, hardcoded secrets, and over-broad permissions by severity, mapped to OWASP MASVS. To be clear about the boundary: PTKD does not recover your password or reset your upload key. It helps you confirm the password you just recovered is stored as a secret rather than sitting in a file that ships or leaks.

    What to take away

    • A lost keystore password is usually more recoverable than a lost file, because the key material is intact and you only need the passphrase.
    • Search first: the password is very often in gradle.properties, keystore.properties, CI secret variables, a password manager, or your build scripts.
    • Remember there are two passwords, the store password and each key password, and a tool can open the file yet still fail to sign if the key password differs.
    • Brute-forcing your own keystore with John the Ripper or hashcat works only for a weak or partly-remembered password, never a long random one.
    • If the password is truly gone and you use Play App Signing, reset the upload key; a self-managed key cannot be reset, so enroll in Play App Signing while your password still works.
    • #android keystore
    • #keystore password
    • #code signing
    • #play app signing
    • #ci cd

    Frequently asked questions

    Can I recover a lost Android keystore password?
    Often yes, because the file is intact and you only need the passphrase. Search where the build reads it: gradle.properties (storePassword and keyPassword), a keystore.properties or signing config, local.properties, and your build scripts, then the deliberate secret stores, your CI or CD secret variables, a password manager or vault, Fastlane config, and even shell history. Automated release builds must sign without a human typing the password, so it is almost always recorded somewhere. Exhaust these before trying anything harder.
    Can I brute force my keystore password?
    For your own keystore this is a legitimate recovery step, and whether it works depends on the password's strength. You convert the keystore to a hash and run a dictionary or mask attack offline: John the Ripper provides a keystore-to-hash helper for Java keystores and hashcat supports the Java KeyStore format directly. It is realistic only if the password was weak or you remember most of it, so a targeted mask attack fixing the parts you recall can find it. A long random password is computationally infeasible, so treat brute force as a possibility, not a guarantee.
    What is the difference between the store password and the key password?
    A keystore has a store password that protects the keystore file as a whole, and each key inside it has its own key password. In many Android setups both are set to the same value, but not always. This matters because a tool that accepts the store password to open and list the keystore can still fail at signing if the key password is different. If you know one password, try it as the other, and read the error text to tell which password is being rejected.
    Can Play App Signing reset a lost keystore password?
    It can reset the upload key, which resolves a lost upload-key password. With Play App Signing, Google holds and protects the app signing key while you sign uploads with an upload key, so if you cannot recover its password you create a new upload key in a fresh keystore, record its password, export the certificate to PEM, and have your account owner request an upload key reset through the Play Console help form. Google keeps signing delivered updates with the unchanged app signing key, so users still get updates.
    What if I self-manage the key and cannot recover the password?
    Then it is as serious as losing the key itself, because without the password you cannot use the app signing key to sign an update, and a self-managed app signing key cannot be reset. If recovery and brute force both fail, the only path is publishing a new app under a new package name with a new key, which existing users must install as a separate listing. Because that is so costly, enroll in Play App Signing while your password still works so a future lapse becomes an upload key reset.
    How do I stop losing my keystore password again?
    Store the password in a password manager or secret store the moment you recover or create it, and keep it alongside the keystore backup so the file and its passwords travel together. Hold it as a masked variable in your CI or CD system so automated builds do not depend on memory, document whether the store and key passwords differ, and avoid setting a throwaway release password. Enrolling in Play App Signing is the single change that makes a future lost password recoverable rather than fatal.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free