Why does Godot Android export fail with keystore error?

The export preset references a keystore file that does not exist, or the alias and password do not match. Open Project > Export > Android preset and verify Debug Keystore path is set, alias matches the keystore, and password is correct. Generate a fresh keystore with keytool if needed.

How do I generate a Godot Android keystore?

Run: keytool -genkey -v -keystore mygame.keystore -alias mygame -keyalg RSA -keysize 2048 -validity 10000. Set a password when prompted. Reference the keystore in Godot Editor > Settings > Export > Android > Debug Keystore (for debug builds) or in the export preset for release.

Why does Godot 4 require JDK 17 for Android exports?

Android Gradle Plugin 8 requires JDK 17. Godot 4 ships with that requirement. Install Java 17 (Temurin or OpenJDK), set JAVA_HOME to its install path, and confirm in Editor > Settings > Export > Android > Java SDK Path.

Fix: Godot Android Export Keystore Verification Failed

Quick answer: Godot Android exports need a valid keystore plus matching alias and password. Generate a debug keystore with keytool, set its path in Editor → Settings → Export → Android, and ensure JDK 17 is the active Java SDK (required by Android Gradle Plugin 8).

Here is how to fix Godot 4 Android exports that fail with keystore verification errors. The export starts, Gradle assembles, and at the signing step you get jarsigner: certificate chain is not validated or keystore was tampered with, or password was incorrect. Three things have to align: the keystore file, the alias and password, and the JDK version Godot uses.

The Symptom

Export to Android fails late in the process. Console output references keystore signing or jarsigner failures. The exported APK either does not appear or is unsigned. Installing the unsigned APK on device fails with parse errors.

What Causes This

Keystore path empty. First-time exporters often skip the Debug Keystore field. Without it, signing has no key to use.

Alias or password wrong. The keystore stores keys under aliases. If the alias in Godot does not match what is in the file, signing fails.

JDK version wrong. Android Gradle Plugin 8+ requires JDK 17. Godot uses whatever Java is configured. Older JDKs (8, 11) produce signing failures or build errors before reaching signing.

Mixed debug/release keystore configuration. Godot has separate fields for debug and release keystores. Misconfiguring one affects the corresponding build type.

The Fix

Step 1: Generate a debug keystore.

# Generate a 27-year keystore for debug usage
keytool -genkey -v \
  -keystore debug.keystore \
  -alias androiddebugkey \
  -keyalg RSA -keysize 2048 -validity 10000 \
  -storepass android -keypass android \
  -dname "CN=Android Debug,O=Android,C=US"

This is the same convention Android Studio uses for debug builds. Place it somewhere outside your project folder for security.

Step 2: Configure the keystore path in Godot. Open Editor → Editor Settings → Export → Android. Set:

Debug Keystore             /path/to/debug.keystore
Debug Keystore User        androiddebugkey
Debug Keystore Pass        android

For release builds, generate a separate keystore with a strong password and configure it per-preset under Project → Export → Android preset → Encryption & Signing.

Step 3: Verify JDK 17 is active.

# Check Java version
java -version
# Should show: 17.0.x or higher

# If wrong, install JDK 17
# macOS:    brew install openjdk@17
# Ubuntu:   sudo apt install openjdk-17-jdk
# Windows:  https://adoptium.net/temurin/releases/?version=17

Set Editor → Settings → Export → Android → Java SDK Path to the JDK 17 install root. Restart Godot.

Step 4: Generate a release keystore for store uploads.

keytool -genkey -v \
  -keystore mygame-release.keystore \
  -alias mygame \
  -keyalg RSA -keysize 2048 -validity 10000

The validity (10000 days = 27 years) is required by Google Play Store. Shorter keys may be rejected.

Step 5: Configure the release preset. In Project → Export, select your Android preset. Under Encryption & Signing:

Release Keystore           /path/to/mygame-release.keystore
Release Keystore User      mygame
Release Keystore Pass      <your strong password>

Now Export Project with Debug unchecked produces a properly signed release APK or AAB.

Storing The Keystore Safely

If you lose your release keystore or password, you cannot ship updates to existing Play Store users. Back up the keystore file and password to a password manager and an offline location. Never check the release keystore into version control.

Common Errors Cheat Sheet

jarsigner: certificate chain not validated
   Cause: keystore tampered or wrong password
   Fix:   regenerate keystore, update Godot config

SDK Build Tools revision (XX.X.X) is too low
   Cause: Android SDK Build-Tools out of date
   Fix:   install latest in Android Studio SDK Manager

Could not find tools.jar
   Cause: JDK 8 instead of JDK 17
   Fix:   install JDK 17, update JAVA_HOME

“Keystore + alias + password + JDK 17. All four must agree, every export.”

Related Issues

For other Godot export issues, see Export Template Missing Android and Export Template Version Mismatch.

Generate. Configure. Verify Java 17. Sign. Ship.