First Android app, can't recover key?

RedXIV

Hey guys,

I'm very very new to app development and built something purely as a bit of fun for my wife for Xmas. However, I wanted to patch something on it and discovered that I cannot sign an apk anymore?

I KNOW I'm using the right passwords as I've found them in the application logs of Android Studio (which seems odd but means I know for definite I'm not forgetting the password) but the alias key is not being recognised.

The specific error I'm getting is:

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':app:packageRelease'.
> com.android.ide.common.signing.KeytoolException: Failed to read key myappkey from store "C:\Users\redxiv\keystore\android.jks": Cannot recover key

Has anyone come across this before? It's not the end of the world if I can't update it but I'm worried if I ever put more time into an app, this would happen again.

Cheers,
Red

jester77

Run gradle's signingReport to see what is wrong

./gradlew signingReport

RedXIV

jester77 wrote: »

Run gradle's signingReport to see what is wrong

./gradlew signingReport

Output is as below:

:app:signingReport
[COLOR="Red"][B][U]Variant: release
Config: none[/U][/B][/COLOR]
----------
Variant: debugUnitTest
Config: debug
Store: C:\Users\redxiv\.android\debug.keystore
Alias: AndroidDebugKey
MD5: AC:B2:C0:28:AB:A2:A3:00:ED:E5:A1:88:53:33:1A:26
SHA1: CA:B5:65:49:27:B4:3C:1F:6B:6E:1E:A0:1F:A6:04:69:C5:CB:5F:C0
Valid until: Thursday, 1 November 2046
----------
Variant: releaseUnitTest
Config: none
----------
Variant: debug
Config: debug
Store: C:\Users\redxiv\.android\debug.keystore
Alias: AndroidDebugKey
MD5: AC:B2:C0:28:AB:A2:A3:00:ED:E5:A1:88:53:33:1A:26
SHA1: CA:B5:65:49:27:B4:3C:1F:6B:6E:1E:A0:1F:A6:04:69:C5:CB:5F:C0
Valid until: Thursday, 1 November 2046
----------
Variant: debugAndroidTest
Config: debug
Store: C:\Users\redxiv\.android\debug.keystore
Alias: AndroidDebugKey
MD5: AC:B2:C0:28:AB:A2:A3:00:ED:E5:A1:88:53:33:1A:26
SHA1: CA:B5:65:49:27:B4:3C:1F:6B:6E:1E:A0:1F:A6:04:69:C5:CB:5F:C0
Valid until: Thursday, 1 November 2046
----------

BUILD SUCCESSFUL

Total time: 4 mins 17.859 secs

There is a worrying few lines there I highlighted. Is the lack of config my issue?

Red

EDIT:

Ok so I had a quick look and checked out the documentation here and changed the build.gradle file so the signingConfig entry "config" (which already existed with again passwords in plain text) was added in my build.gradle:

    buildTypes {
        release {
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
			[B][U][COLOR="Red"]signingConfig signingConfigs.config[/COLOR][/U][/B]
        }
    }

When I ran the signingReport again, I now get the following:

C:\Users\redxiv\AndroidStudioProjects\ILoveHow>gradlew signingReport
Incremental java compilation is an incubating feature.
The TaskInputs.source(Object) method has been deprecated and is scheduled to be removed in Gradle 4.0. Please use TaskInputs.f
ile(Object).skipWhenEmpty() instead.
:app:signingReport
Variant: debug
Config: debug
Store: C:\Users\redxiv\.android\debug.keystore
Alias: AndroidDebugKey
MD5: AC:B2:C0:28:AB:A2:A3:00:ED:E5:A1:88:53:33:1A:26
SHA1: CA:B5:65:49:27:B4:3C:1F:6B:6E:1E:A0:1F:A6:04:69:C5:CB:5F:C0
Valid until: Thursday, 1 November 2046
----------
Variant: releaseUnitTest
Config: config
Store: C:\Users\redxiv\keystore\android.jks
Alias: myappkey 
Error: Failed to read key myappkey from store "C:\Users\redxiv\keystore\android.jks": Cannot recover key
----------
Variant: debugAndroidTest
Config: debug
Store: C:\Users\redxiv\.android\debug.keystore
Alias: AndroidDebugKey
MD5: AC:B2:C0:28:AB:A2:A3:00:ED:E5:A1:88:53:33:1A:26
SHA1: CA:B5:65:49:27:B4:3C:1F:6B:6E:1E:A0:1F:A6:04:69:C5:CB:5F:C0
Valid until: Thursday, 1 November 2046
----------
Variant: debugUnitTest
Config: debug
Store: C:\Users\redxiv\.android\debug.keystore
Alias: AndroidDebugKey
MD5: AC:B2:C0:28:AB:A2:A3:00:ED:E5:A1:88:53:33:1A:26
SHA1: CA:B5:65:49:27:B4:3C:1F:6B:6E:1E:A0:1F:A6:04:69:C5:CB:5F:C0
Valid until: Thursday, 1 November 2046
----------
[B][U][COLOR="Red"]Variant: release
Config: config
Store: C:\Users\redxiv\keystore\android.jks
Alias: myappkey 
Error: Failed to read key myappkey from store "C:\Users\redxiv\keystore\android.jks": Cannot recover key[/COLOR][/U][/B]
----------

BUILD SUCCESSFUL

Total time: 5.21 secs

Which gets me ever so slightly further but still throwing me the same error

Appreciate any extra help!

jester77

So you have a section in your build.gradle that looks like this, (based on your buildtypes release you posted):

    signingConfigs {
        config {
            storeFile file('android.jks')
            storePassword 'password'
            keyAlias 'myappkey'
            keyPassword 'password'
        }
    }

Is 'myappkey' definitely the correct keyAlias?

If you are not sure about the alias, you can click build, generate signed apk, select C:\Users\redxiv\keystore\android.jks, enter your password and then select the 3 dots button beside alias, this will show you what alias(es) you have for this signing.

RedXIV

Yep, alias is definitely right, it's what android studio tells me is the only existing key when I try to generate a signed apk.

My build.gradle looks like this:

    signingConfigs {
        config {
            keyAlias 'myappkey'
            keyPassword 'passwordAlias'
            storeFile file('C:/Users/redxiv/keystore/android.jks')
            storePassword 'password'
        }
    }

The passwords are different, which from some resources online appears to cause an issue but I definitely managed to sign it once with two different passwords (one for the keystore and one for the alias)

jester77

hmm, yeah I've seen that before about passwords needing to be the same, not sure why that should be the case.

Do you know when you last signed the apk? There are probably some logs still on your PC under C:\Users\redxiv\.AndroidStudioX.X\system\log\ from around that time. You'd need to know which AS version you were using at the time as well.

Or you could just do a string search for the "-Pandroid.injected.signing.key.alias=myappkey" and you will see the passwords in plain text:
-Pandroid.injected.signing.store.password=PASSWORD,
-Pandroid.injected.signing.key.alias=myappkey,
-Pandroid.injected.signing.key.password=PASSWORD,


Otherwise, reset the passwords for both to be the same:

keytool -storepasswd -new NEW_PASSWORD -keystore C:/Users/redxiv/keystore/android.jks

keytool -keypasswd -alias myappkey -new NEW_PASSWORD -keystore C:/Users/redxiv/keystore/android.jks

RedXIV

jester77 wrote: »

hmm, yeah I've seen that before about passwords needing to be the same, not sure why that should be the case.

Not sure either, but just mentioned it in case you had run across it before.

jester77 wrote: »

Do you know when you last signed the apk? There are probably some logs still on your PC under C:\Users\redxiv\.AndroidStudioX.X\system\log\ from around that time. You'd need to know which AS version you were using at the time as well.

Or you could just do a string search for the "-Pandroid.injected.signing.key.alias=myappkey" and you will see the passwords in plain text:
-Pandroid.injected.signing.store.password=PASSWORD,
-Pandroid.injected.signing.key.alias=myappkey,
-Pandroid.injected.signing.key.password=PASSWORD,

Yep, found this at the start It was where I confirmed I was using the correct passwords. Definitely have it right

jester77 wrote: »

Otherwise, reset the passwords for both to be the same:

keytool -storepasswd -new NEW_PASSWORD -keystore C:/Users/redxiv/keystore/android.jks

keytool -keypasswd -alias myappkey -new NEW_PASSWORD -keystore C:/Users/redxiv/keystore/android.jks

I was able to change the first, but not the second. When I try the second I get the same "keytool error: java.security.UnrecoverableKeyException: Cannot recover key"

Cheers for the ideas though!

jester77

RedXIV wrote: »

Not sure either, but just mentioned it in case you had run across it before.



Yep, found this at the start It was where I confirmed I was using the correct passwords. Definitely have it right


I was able to change the first, but not the second. When I try the second I get the same "keytool error: java.security.UnrecoverableKeyException: Cannot recover key"

Cheers for the ideas though!

Weird, either the old password is wrong or the file is some how corrupt.

Might there be trailing white space at the end of the old password, might be worth typing the old password + space?
You could also just try the default password "changeit", although unlikely to work.

RedXIV

jester77 wrote: »

Weird, either the old password is wrong or the file is some how corrupt.

Might there be trailing white space at the end of the old password, might be worth typing the old password + space?
You could also just try the default password "changeit", although unlikely to work.

I'm leaning towards the latter

I tried a few different versions of the password and I found a brute force tool as well which couldn't crack the password after a few days of running.

Shame, even if I knew how I corrupted it would help, but I've no idea what happened?!

jester77

RedXIV wrote: »

I'm leaning towards the latter

I tried a few different versions of the password and I found a brute force tool as well which couldn't crack the password after a few days of running.

Shame, even if I knew how I corrupted it would help, but I've no idea what happened?!

I'm out of ideas, sorry

Worst case, you'll have to sign the app with a new key. So you will be basically releasing a new app. This means you'll have to have different package naming, and anyone with the old app won't get the update. You should just remove it from the store if you upload the new one.

RedXIV

jester77 wrote: »

I'm out of ideas, sorry

Worst case, you'll have to sign the app with a new key. So you will be basically releasing a new app. This means you'll have to have different package naming, and anyone with the old app won't get the update. You should just remove it from the store if you upload the new one.

No worries, I appreciate all the help and ideas!

The_B_Man

Use keytool on the command line to get info on the signing cert.
Or try building a signed app in Android studio in the build menu(Generate signed app, I think). At the very least, this will tell you the real alias, as it'll give you a drop down menu listing aliases if you put in the correct password.

RedXIV

The_B_Man wrote: »

Use keytool on the command line to get info on the signing cert.
Or try building a signed app in Android studio in the build menu(Generate signed app, I think). At the very least, this will tell you the real alias, as it'll give you a drop down menu listing aliases if you put in the correct password.

Tried the second option so I know the name of the alias for definite, can you elaborate more on the first option?


Cheers!

The_B_Man

So from what I gather, you're trying to make sure the passwords and aliases are correct.

keytool is a cmd line tool that can do that. I assume you would have used it when creating your signing cert in the first place.
To list the alises, type this:
keytool -list -keystore <path_to_keystore>

Then to list info on one of the alises, type this:
keytool -list -keystore <path_to_keystore> -alias <alias_name>

It'll ask you for the password each time (1 password to open keystore, 1 password to access an alias. They can be the same.), and will tell you if the password you enter is wrong.

TBH, using the android studio way, if you try to sign the app that way, then it'll tell you if the password is wrong, so u prob don't even need to use keytool.

RedXIV

The_B_Man wrote: »

So from what I gather, you're trying to make sure the passwords and aliases are correct.

keytool is a cmd line tool that can do that. I assume you would have used it when creating your signing cert in the first place.
To list the alises, type this:
keytool -list -keystore <path_to_keystore>

Then to list info on one of the alises, type this:
keytool -list -keystore <path_to_keystore> -alias <alias_name>

It'll ask you for the password each time (1 password to open keystore, 1 password to access an alias. They can be the same.), and will tell you if the password you enter is wrong.

TBH, using the android studio way, if you try to sign the app that way, then it'll tell you if the password is wrong, so u prob don't even need to use keytool.

Ah ok, I understand a bit more now.

I tried those commands but I'm not getting asked for my alias password? Is there a parameter or command missing?

The_B_Man

Does it display your alias details though? It gives me the certificate fingerprint (SHA1) when I type in the 2nd command.
IF yours is getting shown, then it looks like theres no password for the alias, which is weird.

RedXIV

The_B_Man wrote: »

Does it display your alias details though? It gives me the certificate fingerprint (SHA1) when I type in the 2nd command.
IF yours is getting shown, then it looks like theres no password for the alias, which is weird.

Interestingly, yes I am seeing the fingerprint.

I wonder if I try and set the password using nothing as the current password would that work?

Edit: No, that did not work

A bit confused now, I've SEEN the password in various files (log and config) but running the command above shows the SHA1 fingerprint. How did I manage to get to this point?

The_B_Man

Are you signing it in Android Studio? As in clicking "Generate signed APK" and inputting the password and selecting the alias etc?

No idea how you managed to generate a signing cert without a password on the alias. Maybe google how to change the password on an alias and set it to the same password as the cert itself.

RedXIV

The_B_Man wrote: »

Are you signing it in Android Studio? As in clicking "Generate signed APK" and inputting the password and selecting the alias etc?

No idea how you managed to generate a signing cert without a password on the alias. Maybe google how to change the password on an alias and set it to the same password as the cert itself.

Yep, signing it in Android studio.

I've no idea how it happened either, it definitely wasn't originally like that as seen in the logs. I can't change the password though It keeps saying "Please enter password" when I try to enter the current password as an empty string. So close!!!

The_B_Man

So when you use Android Studio, it doesn't give you any errors?
If you put in the wrong password it should tell you at the end that the password was wrong.

Another option is to try change the keystore password from the command line, as follows:
keytool -keypass "previous password" -new "new password" -keystore "keystore location"

RedXIV

Well I can't sign it anymore in Android Studio. When I try the original password, it fails in the generation of the signed apk, when I try and leave it blank (taking into account the information above) it won't let me try and generate the apk as it's not accepting an empty field for the alias password.

I tried the command line but it expects a value for the existing alias password also

Seems like I'm caught in an infinite loop! There is probably a check before comparing to the password string that you haven't passed an empty string that is getting triggered but the password at the moment is an empty string!

The_B_Man

I read somewhere that if you don't set a password, then the default password is "changeit". You could try using that.
If the password is definitely blank, you could try set an "initial" password:
keytool -storepasswd -storepass 'mypass' -keystore <path_to_keystore>

RedXIV

The_B_Man wrote: »

I read somewhere that if you don't set a password, then the default password is "changeit". You could try using that.
If the password is definitely blank, you could try set an "initial" password:
keytool -storepasswd -storepass 'mypass' -keystore <path_to_keystore>

Sorry, only getting back to this now.

I tried "changeit", no joy there

That command looks like it updates the keystore password rather than the alias?