Whether a lost signing key is recoverable depends entirely on whether you use Play App Signing. If you do, Google securely holds your app signing key, so losing your local upload key is recoverable: you generate a new upload key and request an upload key reset, and you can keep updating your app. If you do not use Play App Signing and you lose the app signing key you manage yourself, that is not recoverable, because no one else has it, and you cannot update the existing app with a different key. Confirm which case you are in first, since the two have completely different outcomes.
Short answer
A lost upload key is recoverable; a lost app signing key that only you held is not. Per Google's Play App Signing documentation, when Play App Signing is enabled Google stores your app signing key, so if you lose your upload key you generate a new one and request an upload key reset in Play Console, then sign future uploads with it. If you never enrolled in Play App Signing and lose the app signing key, per Android's app signing guide you cannot update the app with a new key and must publish a new app under a new package name. Check your signing setup in Play Console first.
Upload key vs app signing key
Two different keys are involved, and knowing which one you lost decides everything. The upload key is the one you use to sign the app bundle or APK you upload to Play Console. The app signing key is the one used to sign the APKs that Google delivers to users. With Play App Signing, these are separate: you keep the upload key, and Google holds the app signing key.
That separation is what makes recovery possible. Because losing the upload key does not touch the app signing key Google holds, Google can simply accept a new upload key from you and keep signing deliveries with the same app signing key, so users get seamless updates. Before you panic about a lost key, determine which of the two it was, because a lost upload key under Play App Signing is a routine reset, while a lost app signing key with no Play App Signing is the serious case.
Play App Signing vs local signing
This distinction is the crux of the whole question. With Play App Signing, Google generates or imports and then securely stores your app signing key, so that key is not something you can lose in a way that blocks updates; even if your local copies are gone, Google still has it. Losing your upload key in this setup is recoverable through a reset. Play App Signing is required for new apps and is the default for most developers today.
With local, or legacy, signing, you manage the app signing key yourself and Google never holds it. In that setup, losing the app signing key means no one can produce a correctly signed update, and there is no reset, because there is nothing on Google's side to fall back to. So the first thing to check in Play Console, under app integrity or app signing, is whether Play App Signing is enabled, since that single fact tells you whether your situation is a quick reset or an unrecoverable loss.
If you lost your upload key
If Play App Signing is enabled and you lost only your upload key, you are in the recoverable case, and the path is to replace the upload key. You generate a new upload key and keystore, and then ask Google to register it in place of the old one, after which you sign your uploads with the new key. Your app signing key, and therefore your users' ability to receive updates, is untouched throughout.
This also covers the common situation of forgetting your upload keystore password or losing the keystore file: since it is the upload key, you reset it rather than losing the app. Generate the replacement key with keytool, keep the new keystore and its password backed up securely this time, and export the new certificate so you can submit it to Google. The old upload key stops working once the reset completes, so update your build configuration and any CI signing to use the new keystore.
How to reset the upload key and contact support
To reset the upload key, first generate a new key and export its certificate. Create a new keystore with keytool, then export the public certificate in PEM form using keytool with the export and rfc options, which produces an upload_certificate.pem file. That certificate is what Google needs to register your new upload key, so keep it ready before starting the request.
Then request the reset in Play Console: under the app's integrity or app signing settings, use the option to request an upload key reset and upload the new certificate, or contact Google Play developer support through the Help option in the Console and provide the new upload_certificate.pem. Google processes the reset, which can take up to about two days, and notifies you when the new upload key is active. After that, sign all future uploads with the new key. Do not keep retrying uploads with the old key while the reset is pending.
If you lost the app signing key without Play App Signing
If you never enrolled in Play App Signing and you lost the app signing key you managed yourself, that is the unrecoverable case. Because Google never held that key, there is no reset and no way to sign an update that Android will accept as the same app, since Android verifies updates against the original signing certificate. The existing app cannot be updated with a different key.
The practical path forward is to publish a new app: create a new listing with a new application ID, generate a fresh signing key, and, this time, use Play App Signing so the key is protected going forward. Users of the old app will need to install the new one, since the two are different apps to Android and Google Play, and you cannot migrate installs automatically. It is a hard outcome, which is exactly why Play App Signing exists and why enrolling protects you from ever facing it again.
Recovery paths
Matching your situation to its outcome tells you whether to reset or to rebuild. The table below pairs the situations with what to do.
| Situation | Recoverable? | What to do |
|---|---|---|
| Lost upload key, Play App Signing on | Yes | Generate a new upload key and request an upload key reset |
| Lost app signing key, Play App Signing on | Yes | Nothing is lost; Google holds the app signing key |
| Forgot upload keystore password | Yes | Reset the upload key with a new keystore |
| Lost app signing key, no Play App Signing | No | Publish a new app with a new key and package name |
Read the table against your Play Console signing settings. Every recoverable row depends on Play App Signing being enabled, which is why confirming that comes first.
Reset checklist
Working through the reset in order gets your updates flowing again. The checklist below covers the steps.
| Step | Action | Done? |
|---|---|---|
| Confirm signing type | Check app signing in Play Console | [ ] |
| Generate new upload key | Create a new keystore with keytool | [ ] |
| Export certificate | Produce upload_certificate.pem | [ ] |
| Request reset | Use the Console request or contact support with the PEM | [ ] |
| Wait for reset | Allow up to about two days | [ ] |
| Sign with new key | Update your build and CI to the new keystore | [ ] |
The step that determines your whole path is the first one: confirm whether Play App Signing is enabled, because it decides whether you reset an upload key or have to publish a new app.
Keep keys out of your build
A lost key is one signing risk; an exposed key is another. If a signing key or other secret is accidentally bundled into your app or committed alongside it, that is a security problem separate from losing it, and it is worth catching before you ship.
A scanner like PTKD.com analyzes your build and reports issues such as leaked keys, embedded secrets, and over-broad permissions by severity, mapped to OWASP MASVS, so a credential that should never ship is flagged before release. To be clear about the boundary: PTKD does not recover a lost signing key or reset your upload key. It helps you avoid shipping keys and secrets that should have stayed out of the build.
What to take away
- Whether a lost key is recoverable depends on Play App Signing, so confirm your signing setup in Play Console before anything else.
- A lost upload key is recoverable when Play App Signing is on: generate a new upload key, export its certificate, and request an upload key reset.
- The app signing key is safe under Play App Signing because Google holds it, so losing your local copies does not block updates.
- A lost app signing key with no Play App Signing is unrecoverable; you must publish a new app under a new package name and have users reinstall.
- Enroll in Play App Signing to avoid the unrecoverable case, and scan builds with PTKD.com so keys and secrets never ship in the first place.




