[SOLVED] Google Play App Signing – KeyHash Mismatch


This Question and Answer are collected from stackoverflow and tested by JTuto community, is licensed under
CC BY-SA 2.5. - CC BY-SA 3.0. - CC BY-SA 4.0.

Issue

I’am using the new Google Play App Signing to sign my application and there is a mismatch key-hash.

I integrated Facebook Login in my app and it said keyhash invalid. The keyhash release of my APK is different of the keyhash release created by the process of Google Play App Signing.

EDIT : Step i did:

1) Created a jks keystore file.

2) Created a apk release signed with the jks file.

3) Imported the APK in Google Console Developer, with the subscription to Google Play App Signing which modify the signed key.

4) Once online, i download and open the app, Facebook initialization say : Invalid Key hash

When i check the hashkey in the app via the code below, the hash key is different of the invalid hashkey said by Facebook:

  try {
        PackageInfo info = getPackageManager().getPackageInfo(
                "com.package",
                PackageManager.GET_SIGNATURES);
        for (Signature signature : info.signatures) {
            MessageDigest md = MessageDigest.getInstance("SHA");
            md.update(signature.toByteArray());
            Log.d("KeyHash:", Base64.encodeToString(md.digest(), Base64.DEFAULT));
        }
    } catch (PackageManager.NameNotFoundException e) {

    } catch (NoSuchAlgorithmException e) {

    }

Even if i put the hashkey said by Facebook in the Facebook dashboard, it don’t work. It seems Google Play App Signing modify the hashkey during signing process. Do you have an idea to resolve it?

Solution

I had the same issue and it appears that as you say, the Google Play Store re-signs your apk with a new key, and this what you must provide to Facebook as the key hash (not the one generated using keytool).

The second half of this answer https://stackoverflow.com/a/44448437/2640599 is useful.

Basically you need to provide Facebook with the hash based on the SHA-1 App signing certificate Google generated, instead of using keytool and your local key (which it seems is now just used for uploading to Google).

Answered By – mole

people found this article helpful. What about you?