Credentials Manager: Stores Keystore Key as Alias Key

[Gustl22]

Summary

Credentials Manager (expo credentials:manager) stores Keystore Key as Alias Key, therefore any build with expo build:android -t app-bundle -c while uploading my own keystore credentials leads to an error. The Alias Key isn't stored at all.

Environment

Expo CLI 4.12.1 environment info: System: OS: Linux 5.11 Ubuntu 21.04 (Hirsute Hippo) Shell: 5.1.4 - /bin/bash Binaries: Node: 16.0.0 - /usr/local/bin/node Yarn: 1.22.15 - /usr/bin/yarn npm: 7.10.0 - /usr/local/bin/npm npmPackages: @expo/webpack-config: ~0.12.63 => 0.12.82 expo: ^42.0.0 => 42.0.4 react: 16.13.1 => 16.13.1 react-dom: 16.13.1 => 16.13.1 react-native: https://github.com/expo/react-native/archive/sdk-42.0.0.tar.gz => 0.63.2 react-native-web: ~0.13.12 => 0.13.18 Expo Workflow: managed

Please specify your device/emulator/simulator platform, model and version

Ubuntu 21.04 (Linux), IntelliJ 2021.2.2 (Ultimate Edition)

Error output

When Running Gradle with expo build:android -t app-bundle -c

[stderr] Execution failed for task ':app:signReleaseBundle'.

[stderr] > A failure occurred while executing com.android.build.gradle.internal.tasks.Workers$ActionFacade

[stderr]    > Failed to read key oberhauser-dev-01 from store "/tmp/turtle/keystore-1c0006fe-c326-4c0c-b4a0-ec6cabb4fc04.jks": Get Key failed: Given final block not properly padded

Reproducible demo or steps to reproduce from a blank project

I call:

expo credentials:manager

✔ Select platform › android ✔ What do you want to do? › Upload Keystore hashes ✔ Would you like to upload a Keystore or have us generate one for you? If you don't know what this means, let us generate it! :) › I want to upload my own file ✔ Path to the Keystore file. … /my-dev.jks ✔ Keystore password … myKeyStorePass ✔ Key alias … my-dev-01 ✔ Key password … myAliasKeyPass (other than the first, tried multiple times, copy paste and manual key inputs) Keystore updated successfully

Next: ✔ What do you want to do? › Download Keystore from the Expo servers ✔ Do you want to display the Android Keystore credentials? … yes Saving Keystore to @my-dev__my-dev.bak.jks Keystore credentials Keystore password: myKeyStorePass Key alias: my-dev-01 Key password: myKeyStorePass Path to Keystore: @my-dev__my-dev.bak.jks

[quinlanj]

Hey @Gustl22 ! I tried repro'ing your issue on the latest version of expo-cli, and I was not able to get this behaviour :/

For what it's worth, I tried:

• uploading my keystore through expo credentials:manager AND expo build:android -c (flag clears previous credentials)
• Downloaded the keystore through the website (https://expo.dev/accounts/[account]/projects/[project]/credentials?platform=android). if you navigate to the Android (Classic) tab, you can download your keystore and see the passwords that were uploaded. Also tried downloading via cli with same results.

Could you please perform a quick sanity check by downloading your keystore from the website to verify the problem is with the double passwords?

[Gustl22]

I updated my expo client from 4.12.1 (released 20 days ago) to 4.12.7 and it seems to work now. Thanks for your support!

[Gustl22]

I have rejoiced too soon:

I made the same procedure as before, then I displayed my credentials, they were correct.

After that, I executed the android build, which didn't work, because it cannot sign the package: https://expo.dev/accounts/naturfreunde/projects/naturfreunde-ski-alpin/builds/65b2fa12-342d-40e6-9ff5-14f6afc2bccf

Then I displayed the credentials again, and TADA again the password for the alias was the same as for the key store. So it displays the right key until I close the Credential Manager, and start it again, then it displays the wrong key. On uploading there is no error displayed via expo-cli

Now I used the Website, to upload my key and I get the following error:

Error: Invalid JKS Keystore: Invalid keystore format

But this cannot be: I used the same file for my Android projects, and I can open it via KeyStore Explorer 5.4.4 So maybe Expo doesn't support jks files generated by Android Studio, maybe...

Edit: I will create some new credentials via Android Studio, to be sure, and then try to upload them. I'll inform you.

[quinlanj]

@Gustl22 -- I looked into your project and it looks like you have a PKCS12 formatted keystore (you can see it in the Type section in the Keystore ui)

Keystore passwords aren't relevant in this case -- PKCS12 formats have no keystore password and only a key password. I'll try to repro your issue with a pkcs keystore, but in the meantime, you can unblock yourself by converting your pkcs keystore to the more common jks format with the keytool binary: keytool -importkeystore -srckeystore somekeystore.pkcs12 -destkeystore somenewkeystore.jks -deststoretype jks

[Gustl22]

You're right. I generated another Keystore + alias via Android Studio (Build -> Generate signed APK with a valid Android Project). The Plugin proposed the file ending .jks but actually it's a PKCS 12. But I had to specify keystore password AND alias password. So what I'm not sure about it the keystore password: In the expo-cli you have to specify keystore password and alias password, too, with a .p12 file (after I renamed it). Further you can set both somehow via keytool https://stackoverflow.com/questions/31228462/how-to-change-pkcs12-keystore-password-using-keytool

Thanks, I'm sure your solution works and I'll convert my keys to .jks now. Nether the less, the expo-cli should display some error or handle .p12 correctly, as it seems the default output of IntelliJ Android Plugin.

[github-actions[bot]]

This issue is stale because it has been open for 60 days with no activity. If there is no activity in the next 7 days, the issue will be closed.

[Gustl22]

@quinlanj I'll try to reproduce again. But as nothing was updated here, I think the issue still exists. I'll let you know.

[EvanBacon]

This appears to be resolved in EAS CLI (expo build:android is deprecated). If you encounter this issue in the future, please open an issue on expo/eas-cli.