An App Bundle signature verification failure on Google Play almost always means the .aab was signed with a key that does not match what Play expects. With Play App Signing, you sign your bundle with your upload key, and Google re-signs it with the app signing key, so verification fails if you signed with the wrong key, a new upload key, a debug key, or left the bundle unsigned. Verify which certificate actually signed your bundle with apksigner, confirm it matches your registered upload key, and re-sign with the correct release keystore. If your upload key is lost or changed, request an upload key reset in Play Console.
Short answer
The failure means the bundle's signing key does not match the upload key Play has on record. Per Android's app signing guidance, with Play App Signing you sign the bundle with your upload key and Google re-signs it with the app signing key, so uploading a bundle signed with the wrong key, a debug key, or no key at all fails verification. Check which certificate signed your build with apksigner, compare it to your registered upload certificate, and re-sign with the correct release keystore. If the upload key was lost or changed, request an upload key reset in Play Console rather than trying to upload a mismatched key.
What the error means
The error is Google Play telling you that the signature on your uploaded App Bundle does not match the upload key it expects for your app. Play verifies that each upload is signed with your registered upload key before accepting it, and when the signature does not verify against that key, the upload is rejected. It is a signing and key-matching problem, not an issue with your app's code.
Reading it correctly narrows the search. Nothing about your app's functionality is wrong; the bundle simply is not signed with the key Play associates with your app. That points you at three things to check: which key actually signed the bundle, which key Play expects, and whether they match. Almost every case of this failure comes down to a mismatch between those two keys.
Play App Signing: upload key vs app signing key
Play App Signing introduces two keys, and confusing them is the most common cause of this failure. The upload key is the one you sign your bundle with before uploading, and it is what Play verifies on upload. The app signing key is the one Google holds and uses to re-sign your app for distribution to users. You never sign your upload with the app signing key; you sign it with the upload key.
Getting these backwards, or signing with a key that is neither, causes verification to fail. If you sign the bundle with the app signing key, a brand-new keystore you never registered, or a debug key, Play cannot verify it against your registered upload certificate. The fix is to sign with the exact upload key that is registered for your app, which is the key Play checks against on every upload.
Common causes
Beyond mixing up the two keys, a few situations produce this failure. Uploading a debug-signed or unsigned bundle is one: a release upload must be signed with your release upload keystore, not the debug key Android uses automatically for development. A corrupted or misconfigured signing setup, such as the wrong keystore, alias, or password in your Gradle signing config, produces a signature that does not match.
Changing your upload key is another common cause. If you generated a new keystore, lost the original, or a team member used a different one, the bundle is signed with a key Play does not recognize, and verification fails. This is not fixed by uploading the new key directly; it requires the upload key reset process. Identifying which of these applies is the difference between a quick re-sign and a key reset.
Verify the signature with apksigner
Before changing anything, confirm which certificate actually signed your build using apksigner, the Android signing tool. Because an App Bundle is not directly installable, the practical approach is to generate the APKs from your bundle with bundletool, then run apksigner verify with the print-certs option on a generated APK to see the signing certificate and its fingerprint. That fingerprint is what you compare against your registered upload certificate.
Comparing fingerprints tells you exactly where the mismatch is. If the fingerprint from apksigner does not match the upload certificate Play shows in your App integrity settings, you have signed with the wrong key, which is the root cause. This verification step is worth doing first, because it turns a vague verification failure into a concrete answer about which key signed the bundle and whether it is the one Play expects.
Fixing an upload key mismatch
Once you know the keys do not match, the fix depends on why. If you simply signed with the wrong local key, re-sign the bundle with the correct registered upload keystore and upload again. Make sure your Gradle signing configuration points at the right keystore, alias, and credentials, so the release build is signed with the upload key Play has on record.
If the correct upload key is lost or you intentionally need a new one, you cannot just upload the new key; you request an upload key reset through Play Console. In your app's App integrity settings, request to reset the upload key and provide a new upload certificate as instructed. Google processes the reset, after which you sign future uploads with the new upload key. Use the reset path for a genuinely changed or lost key, and a simple re-sign for a wrong-key mistake.
Causes and fixes
Matching the cause to a fix avoids guessing. The table below pairs the common causes with their fixes.
| Cause | What is wrong | Fix |
|---|---|---|
| Signed with the wrong upload key | The key does not match Play's record | Re-sign with the registered upload key |
| Debug-signed or unsigned bundle | Not signed with a release key | Sign with your release upload keystore |
| Signed with the app signing key | Used the wrong key type | Sign with the upload key, not the app signing key |
| Corrupted signing config | Wrong keystore, alias, or password | Fix the Gradle signing configuration |
| Upload key lost or changed | Play does not recognize the key | Request an upload key reset in Play Console |
Read the table against what apksigner told you. If the fingerprint just points at the wrong local key, re-signing fixes it, and only a genuinely lost or changed upload key calls for the reset process.
Fix checklist
Working through signing methodically resolves the failure. The checklist below covers it.
| Check | Action | Done? |
|---|---|---|
| Verify the certificate | Run apksigner verify with print-certs on a generated APK | [ ] |
| Compare fingerprints | Match it against your registered upload certificate | [ ] |
| Release signing | Ensure a release keystore, not the debug key | [ ] |
| Fix the config | Correct the keystore, alias, and password | [ ] |
| Reset if needed | Request an upload key reset for a lost or changed key | [ ] |
The step that saves the most time is verifying the certificate first, since it tells you immediately whether the problem is a wrong key or a lost key, which need different fixes. Re-sign for a mismatch you can correct locally, and use the reset process only when the upload key genuinely changed.
After upload: scan before you submit
Fixing the signature gets your bundle accepted, but a bundle that uploads cleanly can still be rejected in review for reasons unrelated to signing. Security and privacy issues are a common one, and they are cheaper to catch before submission than after.
A scanner like PTKD.com analyzes your app build and reports findings ordered by severity and mapped to OWASP MASVS, so you catch issues like unjustified permissions, cleartext traffic, or embedded secrets before you submit. To be clear about the boundary: PTKD does not sign your bundle, manage your keys, or reset an upload key. It checks the built, signed artifact for the security issues that a valid signature does not address.
What to take away
- The failure means the bundle's signing key does not match the upload key Play has on record; it is a key-matching problem, not a code problem.
- With Play App Signing you sign with your upload key, not the app signing key, so signing with the wrong key type or a debug key fails verification.
- Use apksigner with print-certs on an APK generated from your bundle to see the signing certificate and compare its fingerprint to your registered upload key.
- Re-sign with the correct release upload keystore for a wrong-key mistake, and request an upload key reset in Play Console for a lost or changed key.
- After the signature is fixed, scan your build with PTKD.com for the security issues a valid signature does not cover.



