9 Replies Latest reply on May 16, 2018 11:43 AM by echirulli

    Can I download my Android signing key?

    cedricd3859443

      I need to download the Android signing key currently uploaded to PhonegapBuild. Is that possible? I tried looking for a contact form but no luck.

       

      Thanks

        • 1. Re: Can I download my Android signing key?
          kerrishotts Adobe Employee

          No, for security & legal reasons.

          • 2. Re: Can I download my Android signing key?
            rodneyg35631503

            This is also something that i need - desperately. I understand there is no such feature in general, but if there is a way we can prove we are the owners of the key (by giving out account info, pwd and key pwd) would that be doable?

            • 3. Re: Can I download my Android signing key?
              kerrishotts Adobe Employee

              No (and what you suggest would be no guarantee of ownership). Adobe PGB makes clear that they do not allow downloads of the signing key, and they are correct in this regard. It is far too much of a liability issue from a legal standpoint, and would be extremely insecure (what if someone compromised your account, for example).

               

              You should never rely on PGB as the only holder of the key. You must always maintain a backup of your key yourself -- in fact, ideally, you'd maintain several backups -- at least one locally, at least one in a remote location (that you trust), etc.

              • 4. Re: Can I download my Android signing key?
                JAyBMx

                Hello Kerrishotts,

                 

                I have the same question, I searched in Google if there is any possibility to get a new signing key, but I know it's not possible..
                So this is LITERALLY my last hope, I have an app with 115.000 users (build in 1.5 years) now I lost my keystore and only PGB has a copy of it.

                 

                I'm really screwed if there is literally no way to get it back... I can provide any identification, files, demo-admin users for the app, anything to prove that it's me. I don't need a download button, I don't care how I would get it... I'm really desperate for it!

                 

                Thank you for your time, I hope I'm not bothering you!

                 

                Jason van der Zeeuw,

                The Netherlands

                • 5. Re: Can I download my Android signing key?
                  Chris W. Griffith Adobe Community Professional

                  I afraid you will have to generate a keystore and hope your users migrate...

                  • 6. Re: Can I download my Android signing key?
                    cedricd3859443 Level 1

                    Thanks everyone for your help.

                    • 7. Re: Can I download my Android signing key?
                      echirulli

                      I'm sorry but I don't see the "security issues" you are referring to.

                      PGB allows me to sign any code I want by simply uploading it and providing my keystore and certificate password.

                      So anyone who had stolen my Google account and my keystore passwords could already publish malicious code on Play Store on my behalf.

                      But PGB doesn't allow downloading my keystore while it's "unlocked" on my dashboard.

                       

                      My phonegap app has been released in 2013 for the first time with Phonegap build.

                      At that time PGB never stated that I had to backup my keystore and I never thought about it just because I was delegating the entire release process to PGB.

                      Now I find out that moving away from PGB means dismissing my actual app.

                       

                      It sounds like an utterly unfair policy to me.

                      I wish you could change your mind about it.

                      • 8. Re: Can I download my Android signing key?
                        Chris W. Griffith Adobe Community Professional

                        How do they know you are you? Because you have can log into the system? As frustrating as this might be, it is the correct policy. Losing control of a certificate can be incredibly damaging to the actual owner of that certificate (heck, Adobe even had that problem once). By not allowing it to be downloaded, that is one less point of vulnerability for Adobe to worry about.

                         

                        I can't speak to if that notice was there are not back in 2013. I know I mentioned it in my Lynda.com course back in 2015.

                        • 9. Re: Can I download my Android signing key?
                          echirulli Level 1

                          They already assume that "you are you" once you login and provide the keystore passwords. 

                          They hold your keystore and they allow you to use it freely, as long as you go through their service.

                          But they don't allow you to actually download the keystore.

                          It sounds like a non sense to me.

                           

                          P.S.: I am totally sure that the notice wasn't there in 2013.