Login/Register
Android APK built from android studio and console have different SHA fingerprints
Asked Answered
androidandroid-studioapkandroid-gradle-plugingradlew
S

1

8

While building signed release APK I've come across the following: if I build signed apk from android studio (via Build -> Generate Signed APK...) with build.gradle file like this (only relevant parts):

signingConfigs {
    release {
        storeFile file('/keystore/location/mykeystore.keystore')
        storePassword 'storepassword'
        keyAlias 'key'
        keyPassword 'keypassword'
    }
}
buildTypes {
    release {
        signingConfig signingConfigs.release
    }
}

The resulting apk fingerprint is YY:YY.
However, if I build my APK from console as described here with build.gradle like this:

buildTypes {
    release {
    }
}

And sign it with the same keystore file, the resulting apk fingerprint is XX:XX.

Also, both SHA fingerprints are different from my debug certificate SHA fingerprint. What's the cause of such behaviour?

I'm using buildToolsVersion 23.0.0
android studio gradle version 1.3.0
android sdk tools version 24.3.4
android studio version 1.3.1

Subcortex answered 24/8, 2015 at 13:55 Comment(10)
Are you sure that you are generating both apks in release build variant?Pamphylia
@Fondesa I'm pretty sure I build both apks in release build variant. When building in android studio after specifying keystore and key, I select Build Type release. When building from console I run ./gradlew assembleRelease.Subcortex
Your question is about generating the signed APK in studio vs gradle or about generating through studio vs signing manually?Senility
@MichałBendowski I think it's about 'generating through studio vs signing manually' if I understood your question correctly.Subcortex
Android Studio also uses Gradle commands, so the output should be the same. You can check in the Messages tool window of Android Studio which command it is executing. That way you can make sure it is running assembleReleaseLivengood
@Livengood Thanks for your comment. Unfortunately I can't check it now, will check in 12 hours approximately. By the way, if I try to run ./gradlew assembleRelease with the same build.gradle as the first one (i.e. specifying signingConfig), I get the apk with SHA fingerprint XX:XX, not YY:YY.Subcortex
@Livengood yeah, I checked messages tool and it says that it's executing assembleRelease.Subcortex
Do two consecutive builds (no modifications between them) either from command line or Studio have consistent fingerprints? If they don't match it might be the case that gradle ads some variation in the unsigned apk (timestamps or so) hence signing it gives different fingerprints.Metachromatism
@Daniel I have just tired that- 2 consecutive builds from command line have the same SHA fingerprints.Subcortex
@Arkadiy: Thanks for ruling that out. I had similar issues with other build systems that were placing build time stamp in manifest file hence the results on signing were different. However here is not the same situation.Metachromatism
F
1

Did you check the contents of the keystore? The fingerprint has to match one of the certificates. It is possible to have multiple certificates in your keystore, perhaps a different one is being used during signing from the console? You can check the certificates by running the following command:

keytool -v -list -keystore /path/to/keystore

enter the password for the keystore and you should get a list of the aliases. I'd also check the debug keystore to make sure there aren't other certificates there.

The only other possibility I can think of is a path issue that is causing a different keystore to be used.

Formyl answered 28/12, 2015 at 13:13 Comment(1)
key store paths are identical. Keystore is the same. I exported both certificates from apk-s signed with studio and manually, they use the same key, But fingerprint is still different. Maybe that is because apk align process?Bjorn

© 2022 - 2024 — McMap. All rights reserved.