Lost or corrupted Android keystore? Here's what to actually do
If you just realized your Android signing keystore is gone, corrupted, or the password is lost — take a breath first. Your live app on the Play Store is not broken, and your existing users are not affected. What's at risk is your ability to push updates under that same app listing. Whether that's recoverable depends on one thing: whether Play App Signing was enabled before you lost the key.
First, the two keys you're actually dealing with
Google Play publishing involves two separate keys, and mixing them up is the source of most of the panic:
- The app signing key — the one Google actually uses to sign what your users download. If you enrolled in Play App Signing (the default for new apps for years now), Google holds this key securely on your behalf. You never touch it directly.
- The upload key — the one you use locally to sign the AAB/APK you upload to the Play Console. This is the one people usually mean when they say "I lost my keystore."
If you're enrolled in Play App Signing, losing your upload key is annoying, not fatal — because the key that really matters to your users was never the one you lost.
If Play App Signing is enabled: you can recover
Here's the general path:
- Confirm you're logged in as the account owner, not an editor or admin — the reset option is only visible to the owner role.
- In Play Console, go to your app's
Setup → App integrity → App signingtab, and confirm Play App Signing is active. - Generate a brand-new keystore locally (a single
keytool -genkeycommand handles this). - Export a
.pemcertificate from that new keystore. - Find Request upload key reset, pick the reason that matches your situation, and upload the
.pemfile. - Wait — Google typically takes 24 to 72 hours to process the request and will email you once the new key is active.
- From that point on, sign all future releases with your new keystore.
If Play App Signing was never enabled
This is the genuinely hard case. Without Play App Signing, there's no separation between your upload key and your app signing key — they're the same file, and Google has no copy of it to fall back on. If it's truly gone, with no backup anywhere, there's no reset option waiting for you. Your realistic options are searching every old machine, drive, email attachment, or CI/CD secrets store you've ever used, or accepting you'll need to publish as a new app listing and lose your existing install base, reviews, and ranking history.
This is exactly why Google made Play App Signing the default for new apps — but it's opt-in retroactively for older apps, so if you've never explicitly checked, it's worth confirming today, while you still can.
If you publish outside the Play Store
Huawei AppGallery, Amazon Appstore, Samsung Galaxy Store, and similar alternative stores don't have an equivalent safety net. There's no reset option waiting for you if the file is gone — the keystore you have is the only one that will ever exist for that app. If you publish to any of these, treat your keystore backup as non-negotiable, not optional.
The actual fix: stop relying on remembering to back it up
Whether or not this happened to you, the underlying problem is the same for almost every developer: everyone knows they should back up their keystore, and almost nobody does it consistently, because remembering to do it by hand, for every project, every time, isn't realistic.
Vault backs it up for you, automatically
Encrypted on your own device before it's ever sent anywhere, the moment you run a release build. We're opening early access to a small group of developers first.
Join the waitlist