keytool: Create an Android Signing Keystore in CI
keytool -genkeypair generates a key pair and self-signed certificate inside a keystore, the file that signs Android release builds.
keytool ships with the JDK and creates the keystore Android signing depends on. In CI you rarely generate keys per run; instead you decode a stored keystore from a secret and use keytool to inspect it.
What it does
keytool manages a Java keystore. -genkeypair creates a signing key and self-signed cert with a validity period; -list shows the aliases in a keystore; -importkeystore converts between JKS and PKCS12. Android upload keys are typically RSA 2048 with long validity.
Common usage
keytool -genkeypair -v -keystore release.keystore \
-alias upload -keyalg RSA -keysize 2048 -validity 10000 \
-storepass "$KS_PASS" -keypass "$KEY_PASS" \
-dname "CN=Example, O=Example, C=US"
keytool -list -v -keystore release.keystore -storepass "$KS_PASS"Options
| Flag | What it does |
|---|---|
| -genkeypair | Generate a key pair and self-signed certificate |
| -keystore <file> | Keystore file to create or read |
| -alias <name> | Key alias inside the keystore |
| -keyalg RSA -keysize 2048 | Key algorithm and size |
| -validity <days> | Certificate validity period |
| -storepass / -keypass | Keystore and key passwords |
| -list -v | List keystore entries with details |
| -dname "<x>" | Subject DN, avoids interactive prompts |
In CI
Do not commit or regenerate the keystore per build; store it base64-encoded in a secret, decode it to a temp file at job start, and delete it after signing. Pass -dname so keytool never drops into interactive prompts. Keep -storepass and -keypass in secrets, not in the workflow file.
Common errors in CI
"keytool error: java.io.IOException: keystore password was incorrect" means a wrong -storepass. "Alias <x> does not exist" means the alias is wrong; run keytool -list. "Illegal option: -genkeypair" means an ancient JDK; upgrade. A missing -dname on a non-interactive runner causes a hang at the "What is your first and last name?" prompt. On JDK 9+, default new keystores are PKCS12, not JKS.