I want to signing app with my own certificate, after published an app, i am upgrade my app signing key successful in google play console.
But when i download app form google play and export apk, i am using apksigner to print certificate, it's output:
apksigner verify -v --print-certs ~/Desktop/my.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v3.1 scheme (APK Signature Scheme v3.1): true
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
Signer (minSdkVersion=33, maxSdkVersion=2147483647) certificate DN: CN=***, OU=myname, O=***, L=***, ST=***, C=***
Signer (minSdkVersion=33, maxSdkVersion=2147483647) certificate SHA-256 digest: *******4cd54be39f12785a80a7baf
Signer (minSdkVersion=33, maxSdkVersion=2147483647) certificate SHA-1 digest: *******fc6b66a9416da89169465
Signer (minSdkVersion=33, maxSdkVersion=2147483647) certificate MD5 digest: *******556b3cf266b2bc2741cf6
Signer (minSdkVersion=33, maxSdkVersion=2147483647) key algorithm: RSA
Signer (minSdkVersion=33, maxSdkVersion=2147483647) key size (bits): 2048
Signer (minSdkVersion=33, maxSdkVersion=2147483647) public key SHA-256 digest: 897a4860c3f2bb2ce4b9d4e687774394d776d6a624b84e78d47eb8cb0cb84189
Signer (minSdkVersion=33, maxSdkVersion=2147483647) public key SHA-1 digest: ef4e19e9869be1e469484b1cb9a15abdec1ffedd
Signer (minSdkVersion=33, maxSdkVersion=2147483647) public key MD5 digest: 53d0af1be1c494da91512013ac715e38
Signer (minSdkVersion=24, maxSdkVersion=32) certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer (minSdkVersion=24, maxSdkVersion=32) certificate SHA-256 digest: a467d5b26721543e4497d2f13a8bb1ad2fda43a3c465cfa68aab1c788f6b1122
Signer (minSdkVersion=24, maxSdkVersion=32) certificate SHA-1 digest: 0064b9fda8a3607caffb40ee9cb473281a075506
Signer (minSdkVersion=24, maxSdkVersion=32) certificate MD5 digest: 21c559262c1eff96efca2e48838a4338
Signer (minSdkVersion=24, maxSdkVersion=32) key algorithm: RSA
Signer (minSdkVersion=24, maxSdkVersion=32) key size (bits): 4096
Signer (minSdkVersion=24, maxSdkVersion=32) public key SHA-256 digest: 6af34c08a9c2d16f1ad3778a4540f8582bc3f73f9079628a1f9fa91169dc24d9
Signer (minSdkVersion=24, maxSdkVersion=32) public key SHA-1 digest: b0f5300c9270f35ee0a12d5c1632dc96089a047a
Signer (minSdkVersion=24, maxSdkVersion=32) public key MD5 digest: 868505b614e176b68c539f2f64f64091
Source Stamp Signer certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Source Stamp Signer certificate SHA-256 digest: 3257d599a49d2c961a471ca9843f59d341a405884583fc087df4237b733bbd6d
Source Stamp Signer certificate SHA-1 digest: b1af3a0bf998aeede1a8716a539e5a59da1d86d6
Source Stamp Signer certificate MD5 digest: 577b8a9fbc7e308321aec6411169d2fb
Source Stamp Signer key algorithm: RSA
Source Stamp Signer key size (bits): 4096
Source Stamp Signer public key SHA-256 digest: 4c53c1d28f2ecceadcb1351603f0b702615b3454b6e30070de759359f241b802
Source Stamp Signer public key SHA-1 digest: 188b067a9ee881bde55dabe0f8f7ecb320b1a091
Source Stamp Signer public key MD5 digest: 965afac83f033aa037a54482eb6922d5
Why my own certificate used for minSdkVersion=33 ~ maxSdkVersion=2147483647, and google play 's certificate used for minSdkVersion=24 ~ maxSdkVersion=32 (Adnroid 7 ~ Adnroid 13) ?
The important thing to understand about your question is that the only available option with the corresponding key upgrade request is "Request key upgrade for all installations on Android N (API level 24) and higher." This means that users with versions lower than Android T (API level 33) need to upgrade to use your old key to sign new installations or updates. The application will continue to be signed with your old key but will generate a key rotation proof included in the badge (to establish trust between your previous key A and the new key B), so that users can trust the new key you are using once they fully upgrade to Android T version and higher, which is already registered.
Additionally, please note the additional conditions for users with API 32 and below:
For API 23 and lower versions, the new key will be included as part of the key rotation badge but will not take effect. For API 24 to API 32, the new key will be included as part of the key rotation badge, but the old key will still be used to verify your integrated API services or trigger application updates. Furthermore, if the user's device currently has Google Play Protect enabled, the system will ensure that updates are signed using the rotated key (i.e., your new key). Therefore, unless GPP is disabled, users won't be able to trigger application updates from third-party sources that are signed only with your old key.