Introduction
Keystore inspection comes up constantly during Android development and release:
- Play Console requires SHA1/SHA256
- Firebase setup needs the fingerprint
- Verifying that an APK is signed with the right key
Here's a reference for the commands you'll use in each of these situations.
Basic: View All Keystore Information
keytool -list -v -keystore your-keystore.jks
After entering your password, you'll see output like this:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: mykey
Creation date: Jan 1, 2024
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=My App, OU=Development, O=My Company
SHA1: AB:CD:EF:12:34:56:...
SHA256: 01:23:45:67:89:AB:...
The SHA1 and SHA256 values are the fingerprints you register in Firebase and Play Console.
Just Check the Alias Name
keytool -list -keystore release.jks
Omitting -v gives you a compact view — useful when you just need the alias name and entry type.
Check Which Key Signed an APK
Inspect the signing information of an existing APK:
apksigner verify --print-certs app-release.apk
Or:
keytool -printcert -jarfile app-release.apk
This lets you confirm the SHA1/SHA256 of the APK — useful for verifying "was this APK signed with the correct key?"
Checking debug.keystore
Android Studio auto-generates a debug.keystore in a default location.
Location:
C:\Users\<username>\.android\debug.keystore (Windows)
~/.android/debug.keystore (Mac/Linux)
Command:
# Windows
keytool -list -v -keystore %USERPROFILE%\.android\debug.keystore
# Mac/Linux
keytool -list -v -keystore ~/.android/debug.keystore
Default values:
| Item | Value |
|---|---|
| Password | android |
| Alias | androiddebugkey |
| Validity | 30 years |
Checking Your build.gradle Signing Configuration
To see which keystore your build is using, look at the signingConfigs section in app/build.gradle.
Groovy (build.gradle):
signingConfigs {
release {
storeFile file("release.jks")
storePassword "xxxxx"
keyAlias "mykey"
keyPassword "xxxxx"
}
}
Kotlin (build.gradle.kts):
signingConfigs {
create("release") {
storeFile = file("release.jks")
storePassword = System.getenv("STORE_PASSWORD")
keyAlias = "mykey"
keyPassword = System.getenv("KEY_PASSWORD")
}
}
Reading passwords from environment variables instead of hardcoding them is the safe approach for CI/CD environments.
If keytool Isn't Found on Windows
'keytool' is not recognized as an internal or external command
This error means the JDK's bin directory isn't on your PATH.
Option 1: Run with the full path
"C:\Program Files\Java\jdk-17\bin\keytool.exe" -list -v -keystore release.jks
Option 2: Add to PATH (permanent fix)
- Open System Properties → Environment Variables
- Add
C:\Program Files\Java\jdk-17\bintoPath - Restart your terminal
Option 3: Use Android Studio's bundled JDK
"C:\Program Files\Android\Android Studio\jbr\bin\keytool.exe" -list -v -keystore release.jks
Android Studio ships with a JDK, so if you have it installed, this always works.
Summary
| Purpose | Command |
|---|---|
| View all keystore info | keytool -list -v -keystore xxx.jks |
| Check alias name only | keytool -list -keystore xxx.jks |
| Verify APK signature | apksigner verify --print-certs xxx.apk |
| Check debug.keystore | keytool -list -v -keystore %USERPROFILE%\.android\debug.keystore |
Next time you need SHA1/SHA256 for Firebase or Play Console setup, these commands will get you there fast.