Menu
How do I sign an APK with more than one certificate, so that I can do this when I publish to the Android Market:
Version 1.0 => Signed with Certificate A
Version 2.0 => Signed with Certificate A & B
Version 3.0 => Signed with Certificate B
The Android Market does give me some hope but I am not sure what to make of it, when I upload with a different sign certificate it gives me this message:
"The apk must be signed with at least one certificate in common with the previous version."
Motive:
I have published an app on the market using the Android Signing Tool as part of MotoDev Studio for android. The problem is that it handles the keys itself and there is no way (documented) to get them. I want to change it to use a keystore and certificate that I have more control of and can use even if I don't use MotoDev Studio anymore. Also it seems that MotoDev Studio will lock you out of new features such as shared libraries.
UPDATE 5/3/2011:
They have been actually really quick and prompt at updating MotoDev Studio but it seems like I believe that Google should still provide a work around for those that want to change the certificates of their applications. Updating application to all use the same certificate, creating new ones over time, and possibly creating a new one so that you may hand of the support and distribution of your application to others.
242
Sign an APK You can include this information in two different ways: Specify a KeyStore file using the --ks option. Specify the private key file and certificate file separately using the --key and --cert options, respectively. The private key file must use the PKCS #8 format, and the certificate file must use the X.
Unfortunately, there is nothing else we can do to assist you further with this matter. Show activity on this post. As blackbelt stated, if you signed it with a different keystore, it will be a new application. So you should tell your users that they have to download the new version of the app.
If you want to sign an APK more than once, just do so.
But note that Google Play does not accept APKs with multiple signatures.
eg. You can sign an APK from the command line using jarsigner like so:jarsigner -keystore original-keystore my-app-unsigned.apk key-alias alias
Then just repeat this with the second key:jarsigner -keystore new-signing-keystore my-app-unsigned.apk key-alias
Don't forget to run zipalign afterwards:zipalign -v 4 my-app-unsigned.apk my-app.apk
I just re-read the part about MotoDev studio. In that case you can just sign the APK first using MotoDev as usual, then sign with your new key on the command line as above.
58
I was really pleased to see this post until I saw @ddcruver's comment (2010-06-05) and @cistearns' comment (2011-03-01).
However, there's actually a major security issue with the transition method you describe (if it were to work how you'd expect), making it fairly trivial for an attacker to replace your app if they can get your users to install their stuff:
Normally, if an attacker tried to replace something, the install would refuse unless the original is removed - at which point the data is wiped.
On the other hand, there are still several valid use-cases for transitioning a key/certificate: key renewal, hand over to another developer, etc.
This could be done more securely by authorising the transition to a new key from the old key. Please see the issue in the Android project.
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
