Google Play

    App Bundle Signature Verification Failed (Google Play Fix)

    A terminal running apksigner to print the signing certificate of an AAB while comparing it to the registered Play upload key.

    An App Bundle signature verification failure on Google Play almost always means the .aab was signed with a key that does not match what Play expects. With Play App Signing, you sign your bundle with your upload key, and Google re-signs it with the app signing key, so verification fails if you signed with the wrong key, a new upload key, a debug key, or left the bundle unsigned. Verify which certificate actually signed your bundle with apksigner, confirm it matches your registered upload key, and re-sign with the correct release keystore. If your upload key is lost or changed, request an upload key reset in Play Console.

    Short answer

    The failure means the bundle's signing key does not match the upload key Play has on record. Per Android's app signing guidance, with Play App Signing you sign the bundle with your upload key and Google re-signs it with the app signing key, so uploading a bundle signed with the wrong key, a debug key, or no key at all fails verification. Check which certificate signed your build with apksigner, compare it to your registered upload certificate, and re-sign with the correct release keystore. If the upload key was lost or changed, request an upload key reset in Play Console rather than trying to upload a mismatched key.

    What the error means

    The error is Google Play telling you that the signature on your uploaded App Bundle does not match the upload key it expects for your app. Play verifies that each upload is signed with your registered upload key before accepting it, and when the signature does not verify against that key, the upload is rejected. It is a signing and key-matching problem, not an issue with your app's code.

    Reading it correctly narrows the search. Nothing about your app's functionality is wrong; the bundle simply is not signed with the key Play associates with your app. That points you at three things to check: which key actually signed the bundle, which key Play expects, and whether they match. Almost every case of this failure comes down to a mismatch between those two keys.

    Play App Signing: upload key vs app signing key

    Play App Signing introduces two keys, and confusing them is the most common cause of this failure. The upload key is the one you sign your bundle with before uploading, and it is what Play verifies on upload. The app signing key is the one Google holds and uses to re-sign your app for distribution to users. You never sign your upload with the app signing key; you sign it with the upload key.

    Getting these backwards, or signing with a key that is neither, causes verification to fail. If you sign the bundle with the app signing key, a brand-new keystore you never registered, or a debug key, Play cannot verify it against your registered upload certificate. The fix is to sign with the exact upload key that is registered for your app, which is the key Play checks against on every upload.

    Common causes

    Beyond mixing up the two keys, a few situations produce this failure. Uploading a debug-signed or unsigned bundle is one: a release upload must be signed with your release upload keystore, not the debug key Android uses automatically for development. A corrupted or misconfigured signing setup, such as the wrong keystore, alias, or password in your Gradle signing config, produces a signature that does not match.

    Changing your upload key is another common cause. If you generated a new keystore, lost the original, or a team member used a different one, the bundle is signed with a key Play does not recognize, and verification fails. This is not fixed by uploading the new key directly; it requires the upload key reset process. Identifying which of these applies is the difference between a quick re-sign and a key reset.

    Verify the signature with apksigner

    Before changing anything, confirm which certificate actually signed your build using apksigner, the Android signing tool. Because an App Bundle is not directly installable, the practical approach is to generate the APKs from your bundle with bundletool, then run apksigner verify with the print-certs option on a generated APK to see the signing certificate and its fingerprint. That fingerprint is what you compare against your registered upload certificate.

    Comparing fingerprints tells you exactly where the mismatch is. If the fingerprint from apksigner does not match the upload certificate Play shows in your App integrity settings, you have signed with the wrong key, which is the root cause. This verification step is worth doing first, because it turns a vague verification failure into a concrete answer about which key signed the bundle and whether it is the one Play expects.

    Fixing an upload key mismatch

    Once you know the keys do not match, the fix depends on why. If you simply signed with the wrong local key, re-sign the bundle with the correct registered upload keystore and upload again. Make sure your Gradle signing configuration points at the right keystore, alias, and credentials, so the release build is signed with the upload key Play has on record.

    If the correct upload key is lost or you intentionally need a new one, you cannot just upload the new key; you request an upload key reset through Play Console. In your app's App integrity settings, request to reset the upload key and provide a new upload certificate as instructed. Google processes the reset, after which you sign future uploads with the new upload key. Use the reset path for a genuinely changed or lost key, and a simple re-sign for a wrong-key mistake.

    Causes and fixes

    Matching the cause to a fix avoids guessing. The table below pairs the common causes with their fixes.

    CauseWhat is wrongFix
    Signed with the wrong upload keyThe key does not match Play's recordRe-sign with the registered upload key
    Debug-signed or unsigned bundleNot signed with a release keySign with your release upload keystore
    Signed with the app signing keyUsed the wrong key typeSign with the upload key, not the app signing key
    Corrupted signing configWrong keystore, alias, or passwordFix the Gradle signing configuration
    Upload key lost or changedPlay does not recognize the keyRequest an upload key reset in Play Console

    Read the table against what apksigner told you. If the fingerprint just points at the wrong local key, re-signing fixes it, and only a genuinely lost or changed upload key calls for the reset process.

    Fix checklist

    Working through signing methodically resolves the failure. The checklist below covers it.

    CheckActionDone?
    Verify the certificateRun apksigner verify with print-certs on a generated APK[ ]
    Compare fingerprintsMatch it against your registered upload certificate[ ]
    Release signingEnsure a release keystore, not the debug key[ ]
    Fix the configCorrect the keystore, alias, and password[ ]
    Reset if neededRequest an upload key reset for a lost or changed key[ ]

    The step that saves the most time is verifying the certificate first, since it tells you immediately whether the problem is a wrong key or a lost key, which need different fixes. Re-sign for a mismatch you can correct locally, and use the reset process only when the upload key genuinely changed.

    After upload: scan before you submit

    Fixing the signature gets your bundle accepted, but a bundle that uploads cleanly can still be rejected in review for reasons unrelated to signing. Security and privacy issues are a common one, and they are cheaper to catch before submission than after.

    A scanner like PTKD.com analyzes your app build and reports findings ordered by severity and mapped to OWASP MASVS, so you catch issues like unjustified permissions, cleartext traffic, or embedded secrets before you submit. To be clear about the boundary: PTKD does not sign your bundle, manage your keys, or reset an upload key. It checks the built, signed artifact for the security issues that a valid signature does not address.

    What to take away

    • The failure means the bundle's signing key does not match the upload key Play has on record; it is a key-matching problem, not a code problem.
    • With Play App Signing you sign with your upload key, not the app signing key, so signing with the wrong key type or a debug key fails verification.
    • Use apksigner with print-certs on an APK generated from your bundle to see the signing certificate and compare its fingerprint to your registered upload key.
    • Re-sign with the correct release upload keystore for a wrong-key mistake, and request an upload key reset in Play Console for a lost or changed key.
    • After the signature is fixed, scan your build with PTKD.com for the security issues a valid signature does not cover.
    • #app bundle
    • #signature verification
    • #play app signing
    • #apksigner
    • #upload key

    Frequently asked questions

    What does App Bundle signature verification failed mean?
    It means Google Play could not verify your uploaded bundle against the upload key it has on record for your app. Play checks that each upload is signed with your registered upload key, and when the signature does not verify against it, the upload is rejected. It is a signing and key-matching problem, not an issue with your app's code.
    What is the upload key versus the app signing key?
    With Play App Signing, the upload key is the one you sign your bundle with before uploading, and it is what Play verifies. The app signing key is the one Google holds and uses to re-sign your app for users. You never sign uploads with the app signing key; signing with it, a debug key, or an unregistered keystore causes verification to fail.
    How do I verify which key signed my bundle with apksigner?
    Because an App Bundle is not directly installable, generate the APKs with bundletool, then run apksigner verify with the print-certs option on a generated APK to see the signing certificate and its fingerprint. Compare that fingerprint to your registered upload certificate in Play Console's App integrity settings to find exactly where the mismatch is.
    How do I fix an upload key mismatch?
    If you signed with the wrong local key, correct your Gradle signing configuration to point at the right keystore, alias, and credentials, then re-sign with the registered upload keystore and upload again. If the correct upload key is lost or you need a new one, request an upload key reset in Play Console and provide a new upload certificate, then sign future uploads with the new key.
    Can a debug-signed bundle cause this failure?
    Yes. A release upload must be signed with your release upload keystore, not the debug key Android uses automatically during development. Uploading a debug-signed or unsigned bundle produces a signature that does not match your registered upload key, so verification fails. Confirm your release build uses the correct release signing config before uploading.
    Does fixing the signature mean my app is ready to submit?
    No. Fixing the signature only gets the bundle accepted; it can still be rejected in review for reasons unrelated to signing, such as security or privacy issues. A scanner like PTKD.com (https://ptkd.com) checks your build for unjustified permissions, cleartext traffic, and embedded secrets, mapped to OWASP MASVS, which is separate from the signing key.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free