When exporting a signed Android application using Eclipse, is there a purpose to using multiple aliases?
According to the official guide about signing, it's recommended that you sign all applications with the same certificate to allow your applications to share data, code and be updated in modular fashion.
Assuming that "alias", "key" and "certificate" are essentially interchangeable in this context, is there a reason why someone would want to use different aliases for all their applications? The only reason I can think of is that it adds more security to your applications, in the sense that a compromised key/password doesn't compromise everything. Are there other reasons?
Also, is the generated key dependent on the name of the alias? In other words, if you change the name of the alias but not the password, would the generated certificate be different?
KeyStore Aliases An alias is specified when you add an entity to the keystore using the -genseckey command to generate a secret key, -genkeypair command to generate a key pair (public and private key) or the -importcert command to add a certificate or certificate chain to the list of trusted certificates.
You can have a keystore with as many certificates and keys as you like. If there are multiple certificates in a keystore a client uses as its truststore, all certificates are being looked at until one is found that fits.
You can use that keystore for any number of applications. No need to generate a new keystore.
Correct me if I'm wrong but if you'll see this answer to a similar question you see that the certificate does indeed depend on the particular "alias" (within your keystore) that you choose to sign with.
Read the answer carefully and you see that the "keystore" contains "alias"s (which are actually private+public key pairs). When you sign your apk it is the "public key" that is the actual certificate being embedded.
Therefore when updating your app you should always use the same "alias", not just the same "keystore". As for why devs would have multiple "alias"s in their keystore, I'm uncertain of the benefit other than what you and others have stated.
And the only way you can sign with a different alias would be to clone the previous one as the answer also suggests.
I have also confirmed that signing an APK with different alias's (from the same Keystore) will generate different APK signing signatures which should be proof that different "alias"s = different certificate. How to get your signing sig (<- note: I don't know what the Trace.i method they refer to is, I used Log.i instead)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With