Google Play App Signing - KeyHash Mismatch

30
votes

I'am using the new Google Play App Signing to sign my application and there is a mismatch key-hash.

I integrated Facebook Login in my app and it said keyhash invalid. The keyhash release of my APK is different of the keyhash release created by the process of Google Play App Signing.

EDIT : Step i did:

1) Created a jks keystore file.

2) Created a apk release signed with the jks file.

3) Imported the APK in Google Console Developer, with the subscription to Google Play App Signing which modify the signed key.

4) Once online, i download and open the app, Facebook initialization say : Invalid Key hash

When i check the hashkey in the app via the code below, the hash key is different of the invalid hashkey said by Facebook:

  try {
        PackageInfo info = getPackageManager().getPackageInfo(
                "com.package",
                PackageManager.GET_SIGNATURES);
        for (Signature signature : info.signatures) {
            MessageDigest md = MessageDigest.getInstance("SHA");
            md.update(signature.toByteArray());
            Log.d("KeyHash:", Base64.encodeToString(md.digest(), Base64.DEFAULT));
        }
    } catch (PackageManager.NameNotFoundException e) {

    } catch (NoSuchAlgorithmException e) {

    }

Even if i put the hashkey said by Facebook in the Facebook dashboard, it don't work. It seems Google Play App Signing modify the hashkey during signing process. Do you have an idea to resolve it?

5
androidfacebooksigning
You should be using a seperate key hash for production which could be generated using your release keystore file. :) - SripadRaj
In fact, i first sign my app for production via android studio using a .jks file. It create a APK release which i import in Google Play Console. I don't see what i missed. - Rocé Tarentula
I mean, you have to generate the facebook api key using the release keystore file, just like you did for getting the api key for debug certificate. - SripadRaj
yes this what i did, but the key hash generated are differents between the apk before and after signing by Google. - Rocé Tarentula
Can you provide the steps you did? Can you post it in your question? Its hard for me to imagine the problem you're facing. - SripadRaj

5 Answers

35
votes

I had the same issue and it appears that as you say, the Google Play Store re-signs your apk with a new key, and this what you must provide to Facebook as the key hash (not the one generated using keytool).

The second half of this answer https://stackoverflow.com/a/44448437/2640599 is useful.

Basically you need to provide Facebook with the hash based on the SHA-1 App signing certificate Google generated, instead of using keytool and your local key (which it seems is now just used for uploading to Google).

57
votes

You have to use the SHA-1 key generated by Google. Following steps would fix it.

1). Go to Google console => Release Management => App signing => App signing certificate.

2). Copy SHA-1 certificate from there and as it's in hexadecimal and since Facebook needs it in base64 so use the command shown in step 3

3).echo SHA-1 key from step-2 (Hexadecimal) | xxd -r -p | openssl base64
This command won't work in command prompt use bash on windows or git cli.

4). Paste the base64 key in Facebook console => Settings => basic => key hashes

36
votes

You can convert SHA-1 hash in hex format (as found in Play console) into base64 hash using next command (on maybe Git Bash):

echo 33:4E:48:84:19:50:3A:1F:63:A6:0F:F6:A1:C2:31:E5:01:38:55:2E | xxd -r -p | openssl base64

Output:

M05IhBlQOh9jpg/2ocIx5QE4VS4=

This hash can be used for example when setting up Facebook app. Answer Source

0
votes

Most of the answers above are correct but instead of running hash command there is a great tool for that, so i will re-state the steps using @neeraj's answer as the base answer:

Step 3 is the only changed item

You have to use the SHA-1 key generated by Google. Following steps would fix it.

1). Go to Google console => Release Management => App signing => App signing certificate.

2). Copy SHA-1 certificate from there and as it's in hexadecimal and since Facebook needs it in base64 so use the online tool shown in step 3

3). go to https://base64.guru/converter/encode/hex to convert hexadecimal to base64

4). Paste the base64 key in Facebook console => Settings => basic => key hashes

-1
votes

I'm guessing that you might be using the key hash generated for debug.keystore.

Steps you have to follow

1.Generate key hash for the release certificate.

Go to command line and execute this command. Replace the placeholders in <*..*> with appropriate values.

keytool -exportcert -alias <*provide an alias here. I recommend to use the same alias that you use for google play app signing*> -keystore _<*your path to the jks certificate*> | openssl sha1 -binary | openssl base64

This command will generate a key hash.

2.Copy the key hash generated by the above command and paste it in your Facebook app console like this..

3.Sign the apk with your jks. Download and install on your phone to test.

Try this and let me know. All the best. :)