Google Play

    Google Play Console App Signing Key Lost (Recovery)

    Google Play Console app signing settings showing Play App Signing enabled with an upload key reset request in progress.

    Whether a lost signing key is recoverable depends entirely on whether you use Play App Signing. If you do, Google securely holds your app signing key, so losing your local upload key is recoverable: you generate a new upload key and request an upload key reset, and you can keep updating your app. If you do not use Play App Signing and you lose the app signing key you manage yourself, that is not recoverable, because no one else has it, and you cannot update the existing app with a different key. Confirm which case you are in first, since the two have completely different outcomes.

    Short answer

    A lost upload key is recoverable; a lost app signing key that only you held is not. Per Google's Play App Signing documentation, when Play App Signing is enabled Google stores your app signing key, so if you lose your upload key you generate a new one and request an upload key reset in Play Console, then sign future uploads with it. If you never enrolled in Play App Signing and lose the app signing key, per Android's app signing guide you cannot update the app with a new key and must publish a new app under a new package name. Check your signing setup in Play Console first.

    Upload key vs app signing key

    Two different keys are involved, and knowing which one you lost decides everything. The upload key is the one you use to sign the app bundle or APK you upload to Play Console. The app signing key is the one used to sign the APKs that Google delivers to users. With Play App Signing, these are separate: you keep the upload key, and Google holds the app signing key.

    That separation is what makes recovery possible. Because losing the upload key does not touch the app signing key Google holds, Google can simply accept a new upload key from you and keep signing deliveries with the same app signing key, so users get seamless updates. Before you panic about a lost key, determine which of the two it was, because a lost upload key under Play App Signing is a routine reset, while a lost app signing key with no Play App Signing is the serious case.

    Play App Signing vs local signing

    This distinction is the crux of the whole question. With Play App Signing, Google generates or imports and then securely stores your app signing key, so that key is not something you can lose in a way that blocks updates; even if your local copies are gone, Google still has it. Losing your upload key in this setup is recoverable through a reset. Play App Signing is required for new apps and is the default for most developers today.

    With local, or legacy, signing, you manage the app signing key yourself and Google never holds it. In that setup, losing the app signing key means no one can produce a correctly signed update, and there is no reset, because there is nothing on Google's side to fall back to. So the first thing to check in Play Console, under app integrity or app signing, is whether Play App Signing is enabled, since that single fact tells you whether your situation is a quick reset or an unrecoverable loss.

    If you lost your upload key

    If Play App Signing is enabled and you lost only your upload key, you are in the recoverable case, and the path is to replace the upload key. You generate a new upload key and keystore, and then ask Google to register it in place of the old one, after which you sign your uploads with the new key. Your app signing key, and therefore your users' ability to receive updates, is untouched throughout.

    This also covers the common situation of forgetting your upload keystore password or losing the keystore file: since it is the upload key, you reset it rather than losing the app. Generate the replacement key with keytool, keep the new keystore and its password backed up securely this time, and export the new certificate so you can submit it to Google. The old upload key stops working once the reset completes, so update your build configuration and any CI signing to use the new keystore.

    How to reset the upload key and contact support

    To reset the upload key, first generate a new key and export its certificate. Create a new keystore with keytool, then export the public certificate in PEM form using keytool with the export and rfc options, which produces an upload_certificate.pem file. That certificate is what Google needs to register your new upload key, so keep it ready before starting the request.

    Then request the reset in Play Console: under the app's integrity or app signing settings, use the option to request an upload key reset and upload the new certificate, or contact Google Play developer support through the Help option in the Console and provide the new upload_certificate.pem. Google processes the reset, which can take up to about two days, and notifies you when the new upload key is active. After that, sign all future uploads with the new key. Do not keep retrying uploads with the old key while the reset is pending.

    If you lost the app signing key without Play App Signing

    If you never enrolled in Play App Signing and you lost the app signing key you managed yourself, that is the unrecoverable case. Because Google never held that key, there is no reset and no way to sign an update that Android will accept as the same app, since Android verifies updates against the original signing certificate. The existing app cannot be updated with a different key.

    The practical path forward is to publish a new app: create a new listing with a new application ID, generate a fresh signing key, and, this time, use Play App Signing so the key is protected going forward. Users of the old app will need to install the new one, since the two are different apps to Android and Google Play, and you cannot migrate installs automatically. It is a hard outcome, which is exactly why Play App Signing exists and why enrolling protects you from ever facing it again.

    Recovery paths

    Matching your situation to its outcome tells you whether to reset or to rebuild. The table below pairs the situations with what to do.

    SituationRecoverable?What to do
    Lost upload key, Play App Signing onYesGenerate a new upload key and request an upload key reset
    Lost app signing key, Play App Signing onYesNothing is lost; Google holds the app signing key
    Forgot upload keystore passwordYesReset the upload key with a new keystore
    Lost app signing key, no Play App SigningNoPublish a new app with a new key and package name

    Read the table against your Play Console signing settings. Every recoverable row depends on Play App Signing being enabled, which is why confirming that comes first.

    Reset checklist

    Working through the reset in order gets your updates flowing again. The checklist below covers the steps.

    StepActionDone?
    Confirm signing typeCheck app signing in Play Console[ ]
    Generate new upload keyCreate a new keystore with keytool[ ]
    Export certificateProduce upload_certificate.pem[ ]
    Request resetUse the Console request or contact support with the PEM[ ]
    Wait for resetAllow up to about two days[ ]
    Sign with new keyUpdate your build and CI to the new keystore[ ]

    The step that determines your whole path is the first one: confirm whether Play App Signing is enabled, because it decides whether you reset an upload key or have to publish a new app.

    Keep keys out of your build

    A lost key is one signing risk; an exposed key is another. If a signing key or other secret is accidentally bundled into your app or committed alongside it, that is a security problem separate from losing it, and it is worth catching before you ship.

    A scanner like PTKD.com analyzes your build and reports issues such as leaked keys, embedded secrets, and over-broad permissions by severity, mapped to OWASP MASVS, so a credential that should never ship is flagged before release. To be clear about the boundary: PTKD does not recover a lost signing key or reset your upload key. It helps you avoid shipping keys and secrets that should have stayed out of the build.

    What to take away

    • Whether a lost key is recoverable depends on Play App Signing, so confirm your signing setup in Play Console before anything else.
    • A lost upload key is recoverable when Play App Signing is on: generate a new upload key, export its certificate, and request an upload key reset.
    • The app signing key is safe under Play App Signing because Google holds it, so losing your local copies does not block updates.
    • A lost app signing key with no Play App Signing is unrecoverable; you must publish a new app under a new package name and have users reinstall.
    • Enroll in Play App Signing to avoid the unrecoverable case, and scan builds with PTKD.com so keys and secrets never ship in the first place.
    • #signing key
    • #google play
    • #play app signing
    • #upload key
    • #google play console

    Frequently asked questions

    Is a lost Google Play signing key recoverable?
    It depends on Play App Signing. If it is enabled, Google holds your app signing key, so losing your local upload key is recoverable: generate a new upload key and request an upload key reset. If you never enrolled and you lose the app signing key you managed yourself, it is not recoverable, because Google never held it and Android verifies updates against the original certificate. Check your Play Console signing settings first.
    What is the difference between the upload key and the app signing key?
    The upload key signs the bundle or APK you upload to Play Console. The app signing key signs the APKs Google delivers to users. With Play App Signing, you keep the upload key and Google holds the app signing key. That separation is why a lost upload key is recoverable: Google keeps signing deliveries with the same app signing key while accepting a new upload key from you, so users get seamless updates.
    How do I reset a lost upload key?
    Generate a new keystore with keytool, export its public certificate in PEM form using keytool with the export and rfc options to produce an upload_certificate.pem, then request an upload key reset in Play Console under app signing, or contact Google Play developer support through the Help option and provide the certificate. Google processes the reset in up to about two days, after which you sign future uploads with the new key.
    What if I lost the app signing key and never used Play App Signing?
    That is the unrecoverable case. Because Google never held the key, there is no reset, and Android will not accept an update signed with a different key for the existing app. You must publish a new app with a new application ID and a fresh signing key, ideally enrolling in Play App Signing this time, and existing users must install the new app since the two are different apps to Android and Google Play.
    Does losing my upload key affect my users?
    No, not when Play App Signing is enabled. Your users receive APKs signed with the app signing key that Google holds, which does not change during an upload key reset, so updates continue to install seamlessly. Only your side of the process changes: you sign future uploads with the new upload key. Losing the upload key is a developer-side inconvenience, not a break in your users' update path.
    How do I avoid shipping a signing key by accident?
    A lost key is one risk; an exposed key committed or bundled into your app is another. A scanner like PTKD.com (https://ptkd.com) analyzes your build and reports leaked keys, embedded secrets, and over-broad permissions by severity, mapped to OWASP MASVS, so a credential that should never ship is flagged before release. It does not recover a lost key or reset your upload key, but it helps you avoid shipping keys and secrets in the build.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free