In the Google Play Console, you can upload an encrypted app signing key to convert an existing app to use Google managed app signing: https://support.google.com/googleplay/android-developer/answer/9842756?hl=en#zippy=%2Cexisting-apps
There are 3 different methods offered, which all result in the same encrypted key, but starting from different kinds of input:
I am migrating a Google Play account previously managed by my security department, and the only input I have is a certificate and accompanying private key in PEM format.
If looking at method 3, this actually only offers a pepk-source.jar file with which supposedly you may compile your own Java tool to convert your key into the encrypted format accepted by Google. It seems very strange that there is no documented way to go from a certificate and private key into an encrypted app signing key?
Here are instructions for going from .cer + .pem to encrypted app signing key.
Below, for simplicity I use xxx as an identifier in all commands. Replace xxx with your desired name as needed:
Input:
xxx.cer - certificatexxx.pem - private key (PEM)Instead of creating a tool to use pepk.jar to go from the private key to an encrypted app signing key, we instead create a keystore from the cer+pem pair, and then follow the instructions for importing an app signing key from a keystore:
1. Convert .cer+.pem into .pkcs12:
$ openssl pkcs12 -inkey xxx-private-key.pem -in xxx.cer -name xxx -export -out xxx.pkcs12
Note that name is required, as it will be used as alias later. This took me a while to
figure out.
2. Create a keystore from the pkcs12 file:
$ keytool -importkeystore -srckeystore xxx.pkcs12 -srcstoretype pkcs12 -alias xxx -destkeystore xxx.keystore
3. Run the pepk tool to convert keystore into encrypted key
Use the public key found in the Google Play console (here truncated):
$ java -jar pepk.jar --keystore=xxx.keystore --alias xxx --output xxx-encrypted-private-key --encryptionkey=eb10fe8...
4. Upload the resulting xxx-encrypted-private-key file.
Done!