Android - Obtain a key from a certification authority like VeriSign

Question

Hi
I have written a program, my boss ask me to sign the apk file without self-signed, how can I get the certificate from any authority like VeriSign?

Thanks

Answer 1

You can not use a Verisign or other commercial code-signing certificate to sign Android APKs for distribution in Android Market. The Android Market requires that the certificate expiry date have a year greater than or equal to 2033, but no commercial certificate vendor will sell you a cert with an expiry date that far in the future (their business is forcing you to come back and pay every year: selling you a 3-decade cert kind of defeats that). See http://developer.android.com/guide/publishing/app-signing.html#releasemode for the date information.

So no, you can not use a commercial authority cert.

Answer 2

Android currently doesn't support code certificates the way Windows does with Authenticode.

Let me explain this better.

In Windows, signing with Authenticode creates a trust relationship from the executable to your company. If you run Vista/Seven (8?) UAC prompts show the author of the program when a valid certificate is present, otherwise a yellow prompt warns you the software is unsigned. This helps you decide whether or not to run the application.

In Android, no author information is displayed, ever, when you install a program. What matters is the private keys. An APK signed with the same key as an installed application:

• Is surely coming from the same author
• If the package name matches, can update the existing application
• If is a different application, can access private data of the other application, like Authenticator's stored passwords. In general, APKs from same vendor (private key) run under same UID

My answer is aimed to remind your boss that in the current Android ecosystem digital certificates are almost worthless. I didn't try Symantec but I believe they barely offer you a remote signing tool where they have ownership of the private keys, you send an APK end they return you a signed APK. If anyone knows I'm wrong please tell me.

My source is the official Android documentation. The document says "The certificate does not need to be signed by a certificate authority: it is perfectly allowable, and typical, for Android applications to use self-signed certificates.". Does not mean does not mean cannot be of course.

Answer 3

I just stumbled on this website (Symantec Code Signing for Android) while searching on the same issue. It turns out that Verisign does offer a solution for signing Android applications, however, it's not cheap :)