Android keystore stopped working

2019-01-13 07:08发布

问题:

Just recently I have had a problem with a key store. I know there are plenty of questions about this problem already. I have read them all and Googled furiously.

Error:

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
java.io.IOException: Keystore was tampered with, or password was incorrect
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
    at java.security.KeyStore.load(KeyStore.java:1214)
    at sun.security.tools.KeyTool.doCommands(KeyTool.java:885)
    at sun.security.tools.KeyTool.run(KeyTool.java:340)
    at sun.security.tools.KeyTool.main(KeyTool.java:333)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
    ... 5 more

Software I am using:

Java

java version "1.7.0_21"
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)

Eclipse

Version: 3.8.0
Build id: I20120502-2000

Latest ADT Plugin

Latest Android SDK

Here is what I know:

  • I did not lose the password and it has never changed.
  • I cannot retrieve the password(I know the pass).
  • I cannot sign an existing application with a different key without releasing a brand new application(So I cannot publish any updates).

Here is what I have done:

  • I have uninstalled and re-installed Eclipse many times.
  • I have uninstalled and re-installed the android ADT plugin.
  • I have removed and re-downloaded lastest Android SDK many times.
  • I have uninstalled and re-installed JDK7.
  • I have tried using the backups of my keystore.
  • I have checked the MD5 checksums using "md5sum KEYSTORE" and compared with the backups(same MD5 output - not tampered).
  • I have tried brute-forcing the key store(I have retrieved the password that I knew).
  • I created a test key(with current setup) and tested the password and it seems to worked fine(so something has changed).
  • I have tried exporting the android .apk manually and then tried to sign it(Outside of Eclipse).

Here is how I export a signed application:

  • Through Eclipse: Exporting of using File > Export > Export Android Application.
  • Before JDK7: jarsigner -verbose -keystore KEYSTORE FILE ALIAS.
  • With JDK7: jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore KEYSTORE FILE ALIAS.

What is there left to figure out or try?

  • Some of the references/URLs say to remove the "trusted.certs" file?
  • Try deleting the "debug.keystore"?
  • Would updating Eclipse or any of the Android development tools affect my keystore?
  • Would updating Java from jdk6 to jdk7 create any problems?
  • Could this have messed with or change how the jarsigner works in anyway?

User suggestions:

  • Try using JDK6, but I was able to recently export an application.
  • Checked key.store.password or key.alias.password in my local.properties
  • Unchecking the build automatically in eclipse and clean your project
  • Try to remove .metadata folder in your workspace and clear all temp folders.

Summary

  • Keystores did not change,
  • I have the passwords to the keystores,
  • I have successfully exported an application recently using:
    • Eclipse 3.8 (and Eclipse 4.0+),
    • Latest Java 7,
    • Latest ADT Plugin.
  • My last successful export and build was a few weeks ago using Eclipse 3.8, latest Android tools and Java 7 with the same password.

Update (6/29/14)

  • I have used: keytool -list -keystore KEYSTORE to successfully prove and show that 3 out of my 4 keys work.
  • I bruteforced the last key and obtained the password from the keystore(The pass I already knew), but the password does not work when I enter for signing. I have used: java -jar AndroidKeystoreBrute_v1.02.jar -m 3 -k KEYSTORE -d WORDLIST.
  • Strangely enough, sometimes when I type my password into eclipse very quickly, my alias will show up and I can successfully export my application. (I know this is crazy).
  • Updated Java version.

If I type in the password very quickly it works, sometimes.

It seems that opening up Eclipse and entering the password the first time lets me use the keystore.

Obviously, if all else fails, I will have to create a new key store. I really would like to get this resolved, I am just not sure what to do now besides republish with a new key.

If the key cannot be recovered properly, I might open source it on Github.


Solution (6/29/14):

A special thanks to user Erhannis!

Here is what I did:

The command would error out on me each time:

keytool -importkeystore -srckeystore old.keystore -destkeystore new.keystore -v

Since you told me we could extract private keys from the Java Keystore(.jks), I dug deeper and ended up using a variation of the command. I followed the links you posted here and here:

keytool -importkeystore -srckeystore old.keystore -destkeystore new.keystore -deststoretype pkcs12

After extracting the private key and storing as PKCS12, I think extracted my private key and put it back into a brand new Java Keystore:

keytool -importkeystore -srckeystore new.keystore -srcstoretype pkcs12 -destkeystore final.keystore -deststoretype jks

References:

http://developer.android.com/tools/publishing/app-signing.html#signapp

http://code.google.com/p/android-keystore-password-recover/

List of StackOverflow URLs I have read:

How to handle a lost KeyStore password in Android?

Invalid Keystore problem?

Android: I lost my android key store, what should I do?

I lost my .keystore file?

Forgot Keystore password, thinking of Brute-Force detection. will it corrupt the keystore?

I have lost the password for android Keystore file

Problem running my signed, release keystore in Eclipse

Android - Forgot keystore password. Can I decrypt keystore file?

Android release keystore issue: "Keystore was tampered with, or password was incorrect"

回答1:

I may have had the same problem. I never did figure out why it was failing (though I wonder if it was because the keystore password was shorter than 6 digits), but I was able to copy my key into a new keystore, which I then renamed to replace the old one, and it mysteriously worked after that (using the new passwords). Needed the key password, by the way. Working off https://security.stackexchange.com/a/3795, I did the following:

  1. keytool -importkeystore -srckeystore old.keystore -destkeystore new.keystore -v
  2. Entered the new keystore password twice
  3. Hit Enter when it asked me for the source keystore password (left it blank)
  4. Entered the key password

After double-checking that the new one worked, I just copied it over the old one. Hope it works for you; good luck.



回答2:

Try to remove .metadata folder in your workspace and clear all temp folders. If your keystore file isn't damaged and you have tried to reinstall Eclipse, ADT, Android SDK and Java SDK correctly, I don't see other possibly causes for this strange issue excluding .metadata cache files and\or some temp corruption.

Another suggestion

Try to use Portecle an utility for managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists etc.



回答3:

I had the same problem and I tried everything that is suggested in this thread but nothing was able to save my alias password. The point is that I was absolutely sure about the password, since I had updated the app four times already. I was getting the "Keystore was tampered with, or password was incorrect" message.

The solution

It appears that at the creation of the keystore using eclipse, a space character was added in front of the password!

This nasty bug was apparently fixed at a later version rendering me unable to sign my app with the password I thought was the correct one.

Based on this SO link: Ant fails to build signed apk after updating to android v20 I would suggest that you try adding a space character before of after your password.



回答4:

I will suggest couple of more heat and trials.

Have patience to apply these,

Steps:

  1. Untick the build automatically (Project-> Build Automatically) in eclipse and clean your project.
  2. Build it again.(Right Click on the project+Build Project)
  3. Export Project.
  4. Select Android Export.(auto aligned for you)
  5. Choose your key. provide the password. alias should come in the list.(Be sure about the caps lock). Sometimes we give correct password but due to caps it always fails ;)
  6. Let me know if it works for you.

Hopes this will help you.



回答5:

Are you storing values such as key.store.password or key.alias.password in your local.properties file? Are either of those incorrect?

I'm curious if there's some bug that occurs for keys created with JDK6 and verified in JDK7 - It would explain why the new keys you created for testing work, but the old one doesn't. Try downgrading to JDK6 and see if that fixes it- Others have had jarsigner trouble in JDK7 that went away when they downgraded to 6. If that works, file a bug report and demand a patch so you can safely upgrade to Java 7 :)



回答6:

I battled this issue as well recently, and tried all suggestions listed here and elsewhere. Finally identified a silly mistake that was causing this error at my end - I wanted to share this here in case it helps any of you.

This is more likely to be the case if you, like me, have multiple Java versions on your machine and had upgraded JRE / JDK between the time you originally created the keystore and now when you're trying to sign the APK.

For some reason, our compile instructions were referencing the full Java path like this:

C:\Progra~1\Java\jdk1.6.0_45\bin\jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore cre80ve.keystore unsigned.apk cre80ve

One of the suggestions above got me thinking that it might not be a password issue at all, and it could be version incompatibilities causing the issue. So I ran the below command :

keytool -list -keystore cre80ve.keystore

Using the password that I knew was correct, and lo and behold, it confirmed that it was the right password.

I then dropped the explicit reference in the path to the (older) Java version. This made it automatically pick up the latest version of Java (jdk1.8.0_31 in my case):

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore cre80ve.keystore unsigned.apk cre80ve

And everything started working fine!

Bottomline: it may not be a password issue at all, but different versions of Java or the Android SDK causing the issue, so remember to check that out.

And once it starts working, remember to backup your keystore and password in a safe place :-)



回答7:

My key alias stoped working sudenly. (Ok, after few updates of Android Studio and Java).

I tried all solutions from this thread as well as from others. In my case the solution was surprising. I have the keystore with few aliases. None was working except one, which had password the same as keystore. But unfortunately it wasn't the one I needed. This made me thinking with no logic involved. I copied single alias to new keystore with

keytool -importkeystore -srckeystore old.keystore -destkeystore new.keystore -srcalias importantalias

And then I changed alias password to the same as keystore's password with:

keytool -keypasswd -keystore new.keystore -alias importantalias

Finally I was able to sign my apk. It looks like silly bug which can waste a day of development.



回答8:

Just had this issue - all of a sudden Android Studio forgot my passwords and wouldn't use the ones I had in the gradle file. I've had the same keyfile and passwords in the same project for 6 years!

So I entered them manually - but it failed verification time after time. I tried some things like invalidating caches, restarting Android Studio and restoring a backup of the keystore but nothing helped.

Finally in pure desperation I tried to switch the keystore password and the key password. Lo and behold - it worked! Turns out I had switched the passwords when I entered them into the Gradle build file a few years ago, and for some reason I never noticed.

Conclusion: never be 100% sure that you're doing it right.