Signing keys

Signing keys are used for two reasons:

  • re-signing binaries for rollback releases – during this process, the signing key of the original binary is checked and must match the signing key being used for re-signing. This means that signing keys can never be used to sign a binary that wasn’t previously signed with the same signing key.

  • generating universal APKs from AABs - since Android AAB builds cannot be directly installed on Android devices by default, Runway will use your app's signing key to automatically generate installable universal APKs.

If your app has previously been shipped through the Google Play Console or App Store Connect, there’s a good chance the signing key for your app already exists. However, if you need to create a new one, please follow the instructions below.

How to generate a signing certificate and private key pair for App Store Connect

Step 1: Create a Signing Certificate (via a Certificate Signing Request - CSR)

  1. On your Mac, open the Keychain Access app.

  2. From the top menu: Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.

  3. Enter your email address and Common Name (like your name or your company name).

  4. Select “Saved to disk” and click Continue.

  5. This will create a .certSigningRequest file on your computer.

Step 2: Upload CSR and Download Certificate

  1. Click + to create a new certificate (usually “Apple Distribution”).

  2. Upload the .certSigningRequest file you created.

Step 3: Export the .p12 File

  1. Double-click the downloaded .cer file to add it to Keychain Access.

  2. In Keychain Access, locate the certificate (usually under “My Certificates”).

  3. Right-click the certificate > Export.

  4. Choose the .p12 format and set a password.

  5. Save the file — this is your iOS signing certificate.

How to generate a Keystore File for Google Play Console

Use Android Studio or the command line:

bashCopyEditkeytool -genkey -v -keystore your_app.keystore -alias your_alias_name -keyalg RSA -keysize 2048 -validity 10000
  • You’ll be asked to set a password and fill in info like name and company.

  • This will generate a .keystore file.

Tip: Keep your keystore file safe! You’ll need it for future updates.

We take security seriously and have a robust system in place for keeping your signing keys safe. Signing keys are encrypted both in transit and while at rest and, once uploaded, they are inaccessible from the open internet – our signing server sits in a virtual private cloud (VPC).

Last updated

Was this helpful?