# Signing keys

Signing keys are used for two reasons: 

* re-signing binaries for rollback releases – during this process, the signing key of the original binary is checked and must match the signing key being used for re-signing. This means that signing keys can never be used to sign a binary that wasn’t previously signed with the same signing key.
* generating universal APKs from AABs - since Android AAB builds cannot be directly installed on Android devices by default, Runway will use your app's signing key to automatically generate installable universal APKs.

If your app has previously been shipped through the Google Play Console or App Store Connect, there’s a good chance the signing key for your app already exists. However, if you need to create a new one, please follow the instructions below.

<details>

<summary>How to generate a signing certificate and private key pair for App Store Connect</summary>

**Step 1: Create a Signing Certificate (via a Certificate Signing Request - CSR)**

1. On your Mac, open the **Keychain Access** app.
2. From the top menu: `Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority`.
3. Enter your **email address** and **Common Name** (like your name or your company name).
4. Select “Saved to disk” and click **Continue**.
5. This will create a **.certSigningRequest** file on your computer.

**Step 2: Upload CSR and Download Certificate**

1. Go to [Apple Developer Certificates](https://developer.apple.com/account/resources/certificates/list)
2. Click **+** to create a new certificate (usually “Apple Distribution”).
3. Upload the **.certSigningRequest** file you created.

**Step 3: Export the `.p12` File**

1. Double-click the downloaded `.cer` file to add it to **Keychain Access**.
2. In Keychain Access, locate the certificate (usually under “My Certificates”).
3. Right-click the certificate > **Export**.
4. Choose the `.p12` format and set a password.
5. Save the file — this is your **iOS signing certificate**.

</details>

<details>

<summary>How to generate a Keystore File for Google Play Console</summary>

Use **Android Studio** or the command line:

```bash
bashCopyEditkeytool -genkey -v -keystore your_app.keystore -alias your_alias_name -keyalg RSA -keysize 2048 -validity 10000
```

* You’ll be asked to set a password and fill in info like name and company.
* This will generate a `.keystore` file.

**Tip:** Keep your keystore file safe! You’ll need it for future updates.

</details>

We take security seriously and have a robust system in place for keeping your signing keys safe. Signing keys are encrypted both in transit and while at rest and, once uploaded, they are inaccessible from the open internet – our signing server sits in a virtual private cloud (VPC).<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.runway.team/using-runway/app-settings/signing-keys.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.