SOLUTION: You uploaded an APK with an invalid signature - digest algorithm SHA-256 / Signature RSA
So I have had a couple of clients contact me with recent issues with publishing and updating Google play apps. It seems there are issues with some older .keystore certs and apps and google are no longer allowing you to update the app (or sign new ones) using the algorithm SHA-256. From my research, it looks like its caused by Java 8 and Sierra and combined with GameSalad using the default Jarsigner of SHA-256 to sign the apps. Maybe @adent could really look into this further as this is a game breaker for people with these .keystore’s as without manual signing, you will not be able to update your apps in Google Play!
The error that is shown in Google Play is something like this:
You uploaded an APK with an invalid signature (learn more about signing). Error from apksigner: ERROR (Jar signer XXX.RSA): JAR signature META-INF/XXX.RSA uses digest algorithm SHA-256 and signature algorithm RSA which is not supported on API Level(s) 10-17 for which this APK is being verified
Personally I don’t have this issue as my .keystore works without error but for those of you who are experiencing this I have listed an easy way to sign your apps without using the GameSalad signing tool. However to do this you need to use Terminal and therefore should also proceed with caution as Terminal can break your operating system if used incorrectly. So as with anything you stumble on on the internet, please take my instructions as a guide only and always back up your machine and work before attempting this solution.
-Generate an UNSIGNED APK
-Rename the UNSIGNED APK old.apk and delete the signed version to save confusion
-Place old.apk on your desktop
-Locate your keystore signing key (the one you normally sign your apps with)
-Make a copy of it and place it on your desktop for ease of the code below
-Change the following code so that AAA is your home folder of your computer and BBB to your keystore name (without extension as I have included this)
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore /Users/AAA/Desktop/BBB.keystore >/Users/AAA/Desktop/old.apk android
-Open Terminal and copy/paste the above code and press enter. This will generate a new signed APK called new.apk
-The change the following code so AAA is your home folder again:
/Users/AAA/Library/Android/sdk/build-tools/25.0.2/zipalign -v 4 /Users/AAA/Desktop/old.apk >/Users/AAA/Desktop/new.apk
This will zip align your APK. This path is based on the assumption you have installed the android SDK in the correct position as instructed when installing your Android SDK, if you didn’t follow that instruction, you will have to enter the new path in the above code before exicting it in terminal.
You will now have a signed app using SHA1withRSA which is zip aligned and can upload this to Google play without error.
If you are unsure how to use Terminal or feel that this is a little to advanced for you, I can offer this as a service to complete this for you. Just send me a PM or email me directly at firstname.lastname@example.org and I can do this for you for a small fee.