I know a certificate contains a public key and some extra info (I hope) but is it saved in the apk file? Is it a file or text or what? And what is a signature exactly?
And in Android which one could we easily read to verify the app?
Certificates and keystores
A public-key certificate, also known as a digital certificate or an identity certificate, contains the public key of a public/private key pair, as well as some other metadata identifying the owner of the key (for example, name and location). The owner of the certificate holds the corresponding private key.
When you sign an APK, the signing tool attaches the public-key certificate to the APK. The public-key certificate serves as as a "fingerprint" that uniquely associates the APK to you and your corresponding private key. This helps Android ensure that any future updates to your APK are authentic and come from the original author. The key used to create this certificate is called the app signing key.
A keystore is a binary file that contains one or more private keys.
Every app must use the same certificate throughout its lifespan in order for users to be able to install new versions as updates to the app. For more about the benefits of using the same certificate for all your apps throughout their lifespans, see Signing Considerations below.
Sign your debug build
When running or debugging your project from the IDE, Android Studio automatically signs your APK with a debug certificate generated by the Android SDK tools. The first time you run or debug your project in Android Studio, the IDE automatically creates the debug keystore and certificate in $HOME/.android/debug.keystore, and sets the keystore and key passwords.
Because the debug certificate is created by the build tools and is insecure by design, most app stores (including the Google Play Store) will not accept an APK signed with a debug certificate for publishing.
Android Studio automatically stores your debug signing information in a signing configuration so you do not have to enter it every time you debug. A signing configuration is an object consisting of all of the necessary information to sign an APK, including the keystore location, keystore password, key name, and key password. You cannot directly edit the debug signing configuration, but you can configure how you sign your release build.
For more information about how to build and run apps for debugging,
As far as I know (I'm fairly new to android development), you sign your apk with a certificate. Someone correct me if I'm wrong.
Here is some additional information:
https://source.android.com/security/apksigning/v2
https://developer.android.com/studio/publish/app-signing.html
Also, if you want to publish via google play store, this is important to know for you:
The apk must be signed with the same certificates as the previous version
When you compile your APK, one of final steps is signing your APK. Actually it is adding 3 small files. You can rename any APK to ZIP, unpack it and you will find directory META-INF - it your signing information.
MANIFEST.MF and CERT.SF is very similar and contains list of files and their sha1/sha256 hash sums (one for files, second just for entries of first file), and CERT.RSA which is x509 certificate with your public key.
Related
For a couple of days, I've been trying to upload the aab of an existing app. We have never tried aab before, so this was a fresh attempt. I encountered an error saying "Your android app bundle is signed with the wrong key", which indicated a mismatch of SHA1. So I cleaned the project, rebuilt, invalidated cache (because why not) and tried again - the error persisted. Although, uploading regular APKs work fine with this keystore.
Out of curiosity, I tried building the signed aab with another keystore in our project directory (one that no one used) and to my surprise, this newly signed aab was accepted. This seemed impossible, and I found the SHA1 of "App signing certificate" belongs to one keystore, while the "Upload certificate" belongs to another keystore.
I don't understand how is this possible. We have multiple people access the dev console. Even if it's a human error, how was the upload certificate from the wrong keystore accepted? How can I have this fixed so that I can upload the aab with the actual keystore?
When you (or someone in your team) enrolled your app in App Signing by Play, you must have created this second keystore to create the upload key and uploaded the certificate to Google Play (by simply following the given instructions).
The upload key is the one that should be used to sign the future APKs and App Bundles.
The reason that your APKs can still be uploaded with your original app signing key even after creating this upload key is that Play wanted to allow for this transition time where you're just testing the App Bundle in some testing track but don't want your current APK release process be affected in the meantime, so they'll still accept the APKs to be uploaded with the app signing key.
Ideally, you should now put the keystore containing your app signing key in a safe location with restricted ACLs (since having it compromised can have devastating consequences, i.e. have to migrate all your users to a new app) and only use the keystore containing your upload key (which, if compromised, can be reset).
For some explanation about upload keys and app signing keys, I recommend reading the documentation here:
https://support.google.com/googleplay/android-developer/answer/7384423?hl=en-US
I'm trying to get the fingerprint of app, but the value obtained with android key tool is not the same as the value of some ready-made exe.(ex : "HashMyFiles", "Hashtab")
android keytool : 9B:D8:DD:1.......
HashMyFiles , Hashtab : 52725F4.................
Can someone explain why this is? And I think what I need is the one that I got from the ready-made exe. How do I write my code?
If you have signed it with Android Studio, you can read this.
If its an app you've already published you can get its signature fingerprint from your Google Play Console as given by me in an earlier separate answer.
If its someone else's apk, you might want to ask them for those singing fingerprints for SHA1, SHA256 and MD5. There is no other way of retrieving the signing keys.
How Google Play App Singing works
You digitally sign each release using your upload key before
publishing it to a track in the Play Console.
Google Play uses the upload certificate to verify your identity and then re-signs your release using the app signing key for distribution.
Each Android device checks the release’s app signing certificate matches the
certificate of the installed app before updating it.
More about app signing here.
A certificate fingerprint is a short and unique representation of a certificate that is often requested by API providers alongside the package name to register an app to use their service.
The tool(HashMyFiles) that you use will provide you with a hash value of the Application and not the MD5, SHA-1, SHA-256 fingerprint.so you should use the android keytool to get the fingerprint certificate for your app, also remember each build variant of your app can have different fingerprint and it is important to have a separate fingerprint for your release build.
If you want to know more go to :Authenticating Your Client
I have an app already uploaded and published on play store. Now I want to update it. It was signed using google-play signing, I do have keystore and cert
but when I try to make a signed apk from android studio it gives me this error :
Trusted certificate entries are not password-protected
I also tried to make apk using jarsigner but still on luck.
I downloaded certificate then added certificate in jks but still there is error.
Certificate chain not found for: mykey. mykey must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
mykey is valid key I can see it in keystore List
Well, the Keystore is not the certificate that Google gives you once you upload the app on the Google App store, the Keystore is the one that Android Studio gives you once you sign the app, it requires an Alias and a Password too to be more precise, however, try to find the Keystore because you can't update your own app without the SAME Keystore you used for the first upload, good luck and keep coding, let me know if you need more support or if you still have some doubt, have a good day!
We recently had a developer leave us and now I am in charge of uploading any updates to Google play. We opted in to App Signing so i was able to download the cert. I am not sure I did what was correct. I double clicked the .der file which installed the key into my Key manager on mac. Then i imported that key into the generated keystore for the apk using Keytool. I am able to choose it when I build the APK but then get an error saying
Cause: trusted certificate entries are not password-protected
Any help? Thanks!
The certificate cannot be used to sign the APK, it doesn't contain the private key. You should find the keystore that contains the upload key, identify the alias of that key and use that to sign.
If you don't have the keystore anymore, you can generate a new private key and contact Google support to reset it: https://support.google.com/googleplay/android-developer/answer/7384423?hl=en.
After developing android app, I have to sign it in order to publish it to Play store.
What does singing process actually do?
I thought it related to encryption, but I am able to uncompress the apk file without any need to my app's signing keys.
Android requires that all apps be digitally signed with a certificate before they can be installed. Android uses this certificate to identify the author of an app, and the certificate does not need to be signed by a certificate authority. Android apps often use self-signed certificates. The app developer holds the certificate's private key.
The basics behind protecting your Android app is to use a generated certificate and digital “key” which provides a unique, encrypted, and reasonably un-hackable signature. This proves that the app came from you, not some other suspicious source.
On Android, this is done via a keystore. The keystore is a simple file with a really large block of encrypted data. This file can be stored anywhere on your computer, and this is generally the first problem that developers encounter.
There are two types of keystores that you should be aware of: debug and release.
Keystore files are also protected by a pair of passwords: one for the keystore file itself and another for each keystore/alias pair within the file. While these passwords should ideally be unique, most developers use the same password for both.
You can sign an app in debug or release mode. You sign your app in debug mode during development and in release mode when you are ready to distribute your app. The Android SDK generates a certificate to sign apps in debug mode. To sign apps in release mode, you need to generate your own certificate.
How to sign your apps in Android Studio
Android requires that all apps be digitally signed with a certificate
before they can be installed. Android uses this certificate to
identify the author of an app, and the certificate does not need to be
signed by a certificate authority. Android apps often use self-signed
certificates. The app developer holds the certificate's private key.
Android Documentation: Signing Your Applications