How to generate 11 char hash key for Sms Retriever with Google App signing

As default bash commands were not working for me and I needed to generate hashes for both local keystore and Google Play certificate, I wrote my own Ruby script for that: https://github.com/michalbrz/sms-retriever-hash-generator/blob/master/google_play_sign.rb

Then generating hash with Google Play signing is just:

ruby google_play_sign.rb --package com.your.app --google-play-key deployment_key.der

where deployment_key.der is certificate downloaded from Google Play as in Nick's response.

Under the hood it transforms Google Play cert into keystore and basically does what other suggested bash commands do, but wraps it in something easier to use.


In the help documents for Google Play App Signing it has a section "New Apps". Step 4 in this section is:

Step 4: Register your app signing key with API providers If your app uses any API, you will usually need to register the certificate of the key Google signs your app with for authentication purposes. This is usually done through the fingerprint of the certificate.

To find the certificate of the key Google uses to re-sign your APK for delivery:

  1. Sign in to your Play Console.
    1. Select an app.
    2. On the left menu, click Release management > App signing.
    3. From this page, you can copy the most common fingerprints (MD5, SHA-1 and SHA-256) of your app signing certificate. If the API provider requires a different type of fingerprint, you can also download the original certificate in DER format and run it through the transformation tools that the API provider requires.

Download the original certificate in DER format and then use your command on that certificate.


Here is the complete step by step guide .

  1. Go to play console -> open app -> Release management -> App Signing -> Download Certificate . Like in below screen shot

enter image description here

This will give you deployment_cert.der file

  1. Convert the deployment_cert.der file to a .jks file

use below command

keytool -importcert -alias YOUR_ALIAS -file deployment_cert.der -keystore certificate.jks -storepass YOUR_PASSWORD

Replace YOUR_ALIAS,YOUR_PASSWORD with yours which used in keystore . In place of deployment_cert.der use complete path if required

After entering this command it will ask

Trust this certificate? [no]: yes

type yes and click enter . It will show message

Certificate was added to keystore

This will generate a new file certificate.jks

  1. Now in terminal enter command

    keytool -exportcert -alias YOUR_ALIAS -keystore certificate.jks | xxd -p | tr -d "[:space:]" | echo -n YOUR_PACKAGE `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

Replace YOUR_ALIAS,YOUR_PACKAGE with yours which used in keystore,project . In place of certificate.jks use complete path if required

it will ask for password

Enter keystore password: mypassword

enter your password and you will get the hash .

EDIT For MacOS users:

If you're using MacOS you can install sha256sum by installing coreutils like this:

brew install coreutils

Or you can use shasum -a 256 instead of sha256sum like this:

keytool -exportcert -alias YOUR_ALIAS -keystore certificate.jks | xxd -p | tr -d "[:space:]" | echo -n YOUR_PACKAGE `cat` | shasum -a 256 | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

Credits to Abhinav Gupta and Op of this question Farhan Farooqui and above answer from Nick Fortescue