Signing an APK with an Upload Key Provided by Google Play

How to sign apk with Google signed keys to upload in other apps stores

If you haven't provided Google with your own signing key when enrolling in Play Signing, then you can't sign the APK yourself.

If you upload an App Bundle to the Play Console, you can download the universal APK from the "Bundle Explorer" page in the Play Console. This APK will be signed with the signing key (i.e. the one on installed on users' devices).

If you upload an APK, then you can simply download the APK signed with the signing key in the Play Console (also in "Bundle Explorer").

It does seem a bit weird though that your users would download from Play but then upgrade from another store, so worth thinking if it's worth the extra hassle to share the signing key across stores.

Use provided upload_cert.der to sign a release Android APK file

The .der file you uploaded to the Play Console (and that is also available for download in the App Signing page in the Play Console) does not contain the private key, it only contains the public key, so you won't be able to sign anything with it.

Only the keystore you created to generate your upload certificate contains the private key and must be used to sign your APKs (or App Bundles).

In other words, you shouldn't create another keystore after enrollment in Play Signing, you should use the keystore you have created to generate the upload certificate to sign your future artifacts.

Hope that helps.

Can I upload an APK+OBB signed with upload key to Google Play when the signing key is generated by Google?

you can upload a signed apk or AAB with your local generated keyStore .

if you had already selected app signing by google , the signing will be changed to the key generated by the store.
if you didn't select this option your signature will remain , and make sure to keep your keystore safe for further updates as its necessary and can't be changed again.

Google play app signing process certificates

The app signing process in Play store is demonstrated below,

Sample Image

Google Play signing uses two keys.

Upload key
App signing key

Upload Key

TL;DR: Google use this key to identify the uploader of the apk/bundle

This key is used to sign the apk/bundle when uploading to the Play Store. This key let Android know the app updates are authentic and comes from the original author.

upload_cert.der is the public key for the Upload key.

App Signing Key

This key is used to sign the APKs that are installed in the user's device. You can have Google manage the key

deployment_cert.der is the public key of the app signing key.

So answering your questions,

if your device is running app signed with upload key (developer key), the fingerprints in API console should match with the upload key, vice versa if the app in your device is signed with App Signing key, you need to have the fingerprints of the same. Commonly the signed apks/bundles built from android studio are signed with the upload key you choose. The app installs from the Play Store uses App Signing Key.
Keep it safe, this is required for Google to identify the author when pushing updates.
See the App Signing Key part
See the Upload Key part