Google Sign-In on Play Store — Troubleshooting Guide

A complete, copy-pasteable guide for resolving the #1 cause of Google
Sign-In failure on Play Store builds: SHA-1 fingerprint mismatch between
your local builds and the Play App Signing key.

Confirmed working: 2026-05-07. Project: motoshare_driver_admin,
Cloud project: motoshare-a61eb (display name Motoshare).

1. Symptoms

The bug always presents the same way:

Common error patterns reported by users:

• "Sign-In failed" toast right after picking an account
• Account picker opens but never returns
• Plugin throws PlatformException(sign_in_failed, …, status: 12500) or status 10

If your Sign-In fails on any other build (e.g. emulator), this is not the
bug described here — see Section 7 — When this guide doesn't apply.

2. Why it happens — the root cause

When you upload an .aab to Google Play, Google strips your signature and
re-signs the app with their own key (the "App signing by Google Play"
feature, mandatory since 2021). This means three different signing keys are
in play, with three different SHA-1 fingerprints:

                                                  SHA-1 fingerprint
                                                  ─────────────────
[1]  flutter run / debug builds      → debug key      AA:BB:CC:...
[2]  flutter build appbundle         → upload key     DD:EE:FF:...
[3]  Install from Play Store         → Google's       11:22:33:...
                                       app signing
                                       key

Google Sign-In's Android client checks the running app's signature against
the SHA-1s registered on its OAuth Android client. If the SHA-1 doesn't
match, sign-in is rejected before any UI even appears.

Most developers register only key 1 or 2. Key [3] is
controlled by Google and lives in Play Console — it's not on your machine,
which is why this bug never reproduces locally.

3. Architecture: where SHA-1s need to be

                                                  ┌──────────────────────┐
                                                  │  Google Cloud OAuth  │
   Phone runs APK signed with one of these keys → │  Android client(s)   │
                                                  │  for package         │
   ┌──────────┐  ┌──────────┐  ┌──────────────┐   │  com.cotocus...      │
   │ Debug    │  │ Upload   │  │ App signing  │ ←─┤  Each client holds   │
   │ keystore │  │ keystore │  │ (Google)     │   │  exactly ONE SHA-1   │
   └──────────┘  └──────────┘  └──────────────┘   └──────────────────────┘
        │             │              │
        SHA-1 [1]    SHA-1 [2]      SHA-1 [3]   ← all three must be
                                                  registered against the
                                                  same package name

Because each Android OAuth client only allows one SHA-1, you need
multiple Android OAuth clients with the same package name, one per
SHA-1. Google's auth servers accept whichever SHA-1 matches the running
build.

4. The fix — step by step

Total time: ~5 minutes. No app rebuild or new release upload required.

Step 1 — Get the App signing key SHA-1 from Play Console

1. Open Play Console → select your app.
2. Left sidebar → Test and release → App integrity.
3. Find the App signing section. Click to expand if needed.
4. Two certificates appear:

App signing key certificate         ← copy SHA-1 from THIS one
  SHA-1: 11:22:33:44:55:66:...
  SHA-256: ...

Upload key certificate
  SHA-1: DD:EE:FF:...
  SHA-256: ...

Copy the SHA-1 under App signing key certificate. It will look like:

9A:04:19:E7:58:68:3A:70:7B:7D:5B:D1:28:91:36:5C:B1:3C:5E:D7

(40 hex chars separated by colons.)

Critical: copy from App signing key certificate, not from
Upload key certificate. They are different keys.

Step 2 — Add a new Android OAuth client in Google Cloud Console

1. Open Google Cloud Console → make sure the project selector at the top shows the same project that your app uses for Sign-In. (For this repo: Motoshare / motoshare-a61eb.)
2. Sidebar → APIs & Services → Credentials.
3. Top bar → + CREATE CREDENTIALS → OAuth client ID.
4. Fill in:

1. Click Create.

You should now see two Android OAuth clients in the Credentials list,
both with the same package name but different SHA-1s. Keep both — do
not delete the original. The original SHA-1 still serves your local debug
and upload-signed builds.

Step 3 — Verify OAuth consent screen is published

This is a frequent secondary cause of Play Store failures.

1. Sidebar → Google Auth Platform → Audience (formerly "OAuth consent screen").
2. Publishing status must be In production.
3. User type should be External.
4. If status says Testing, click PUBLISH APP → confirm.

Apps in Testing mode only allow sign-in for explicitly-added test
users. Anyone else gets an error regardless of SHA-1.

Step 4 — Confirm the Web client ID in Flutter code

The google_sign_in plugin needs the Web client ID to issue ID tokens,
not the Android client ID. Open your code where GoogleSignIn is
configured:

// lib/src/shared/providers.dart
const _googleWebClientId =
    '335553606969-k446g8jjeclomdbf4etgdgdgdfdddrhs5.apps.googleusercontent.com';

Verify:

• Type is Web application (not Android)
• It lives in the same Cloud project as your Android clients
• The string matches the Client ID shown for the Web OAuth client in Cloud Console → Credentials

For this repo it should match motoshare-driver-admin-web.

Step 5 — Test

No rebuild, no new release upload — these changes are server-side.

1. Wait 5–10 minutes for Google's auth servers to propagate.
2. On a real phone:
   • Uninstall the Play Store version
   • Re-install from Play Store (Internal testing track is fine)
   • Tap Google Sign-In → pick account → should succeed

5. Verifying you actually fixed it

After ~10 minutes of normal use, return to the new OAuth client in Cloud
Console:

APIs & Services → Credentials → click your new "(play signing)" client

Look at Last used date in the right-hand panel. If it shows today's
date, your Play Store APK is actively reaching this client and SHA-1
matching is working.

Last used date    May 7, 2026 (Note: this data could be delayed by a day
                  or more.)

That timestamp is the strongest single signal that the fix worked.

6. Common pitfalls

Pitfall: copied the Upload key SHA-1 instead of App signing key

Both certificates are listed on the same page in Play Console. They are
different keys. Only the App signing key certificate SHA-1 fixes this
bug.

Pitfall: deleted the old Android client

Don't. The original client's SHA-1 covers your debug and release-built
local APKs. Deleting it breaks flutter run and any side-loaded build.
Keep both Android clients alive.

Pitfall: pasted the SHA-1 into the wrong Cloud project

Many teams have multiple Cloud projects (in this repo there's also a
Motoshare Old). The SHA-1 must go into the same project that your
Web client lives in — otherwise the Web ID token issued at runtime can't
be matched to the Android client. Confirm the project selector at the top
of Cloud Console matches the one referenced by _googleWebClientId in
your Flutter code.

Pitfall: tried to "Link Cloud project" in Play Console and got "Project not found"

That's a separate feature for the Play Integrity API, unrelated to
Google Sign-In. The error means your account isn't an Owner on the Cloud
project. Skip this — Sign-In doesn't require it.

Pitfall: still in Testing mode

Even with the right SHA-1, an OAuth consent screen in Testing mode
blocks every Google account that isn't on the test users list. Push to
In production under Audience.

Pitfall: passing the Android client ID as serverClientId

The google_sign_in plugin needs the Web client ID. Android client
IDs don't issue ID tokens. Symptom: account picker works, but the backend
ID-token verification fails afterward.

Pitfall: google-services.json references the wrong project

If your repo uses Firebase tooling, an outdated android/app/google-services.json
can pin Sign-In to a stale project. Re-download it from Firebase Console
(or delete it entirely if you don't use Firebase — google_sign_in works
without it as long as serverClientId is hard-coded).

7. When this guide doesn't apply

This guide solves only the Play-Store-specific Sign-In failure. If
Sign-In is broken in all environments (emulator, local APK, Play
Store), you have a different bug. Likely culprits:

• Wrong package name in the OAuth client (must exactly match applicationId in android/app/build.gradle.kts)
• serverClientId pointing at a deleted or wrong-project Web client
• OAuth consent screen requesting unverified sensitive scopes
• google_sign_in plugin version mismatch with google_sign_in_android
• MainActivity not extending FlutterFragmentActivity (for plugins that need it)
• Backend rejecting the ID token (audience or issuer mismatch in Keycloak)

Use adb logcat | grep -iE "googlesignin|gms|auth" while reproducing the
failure to capture the exact error code. Status code reference:

Status 10 and 12500 are the SHA-1-related ones.

8. Reference: this repo's exact configuration (post-fix)

Cloud project:     Motoshare (motoshare-a61eb), project number 338933606969

OAuth 2.0 Client IDs:
  motoshare-driver-admin-web                Web      338933606969-k446...
  motoshare-driver-admin-app                Android  88:6C:D0:27:21:3F:2E:DA:2E:EE:E3:A6:51:A0:4F:50:1B:F1:F3:20  (debug/upload)
  motoshare-driver-admin-app (play signing) Android  9A:04:19:E7:58:48:3A:70:6B:7D:5B:D1:28:91:36:5C:B1:4C:3E:D7  (Play App Signing)

Both Android clients use package: com.cotocus.motoshare_driver_admin

Flutter code (lib/src/shared/providers.dart):
  serverClientId = '338933606969-k446g8jjeclomdbf4ete2efmgr06rhs5.apps.googleusercontent.com'
                   (matches motoshare-driver-admin-web)

Audience: External, Publishing status: In production

9. Quick-start checklist for future apps

When wiring Google Sign-In on a new Android app, do all of this before
the first Play Store release:

• [ ] Create one Android OAuth client with your debug keystore SHA-1
• [ ] Create one Web OAuth client → use its Client ID as serverClientId
• [ ] Set OAuth consent screen → External, In production
• [ ] Upload first AAB to Play Console → enable App signing
• [ ] Read the App signing key SHA-1 from Play Console → App integrity
• [ ] Create a second Android OAuth client with that SHA-1, same package name
• Create a third Android client with your upload key SHA-1 if you sometimes share an upload-signed APK directly with testers
• [ ] Confirm Sign-In works on Play Store install (Last used date updates within minutes)

Tracking SHA-1s up front saves a release cycle of debugging later.

10. Reusing this guide

This guide is project-agnostic apart from Section 8. To adapt it for
another app, change:

• The Cloud project ID, project number, and client IDs in Section 8
• The package name (com.cotocus.motoshare_driver_admin) in Section 4
• The serverClientId constant location and value in Steps 4 and Section 8