I did not properly create the keys, where he is now?
I created the keys, where I create the application
where keys is now? (there is only one file LM.apk, but he did not keys)
You're are misundersting the keystore :
The keystore is a file which identify you (to securize your release), don't name it *.apk, it's not your application build
You can store as many key in your keystore, one for each application you want to sign with
So you just have to create a first key on your keystore by providing an alias and a password
Then you'll have 1 password for opening your keystore and one for signing with the desired key (alias)
Related
I have JKS keystore and I remember the password but not alias.
It's said 'No key found with the alias'.
please help.
If you are using Android Studio, then you can find the key alias like this if you know the password,
Enter your keystore path and password, and tap on the folder icon at key alias section,
You will get the key alias list in new window like this,
You can use existing key, or if you want, you can create new one.
can anyone clarify me that is it possible to recover keystore alias key?
i am in big trouble my app is already on playstore and update is ready,and stuck at this point
Here is link bruteforce
using from last two days,nothing works for me..
You can try and find the password in one of the gradle files if you still have the source code and were using Android Studio to develop the app. Try looking for:
..Project\.gradle\2.4\taskArtifacts\taskArtifacts.bin
Alternatively, you can create new keystore and set new password for it with the keytool command below. You don't need original keystore password for it:
keytool -importkeystore -srckeystore path/to/keystore/with/forgotten/pw \
-destkeystore path/to/my/new.keystore
When prompted, create password for your new.keystore and for source keystore password (which you lost) just hit Enter.
You will get warning about integrity not checked, and you will get your new.keystore identical to original with newly set password.
The reason this works is keystore password is only used to provide integrity of the keystore, it does not encrypt data with it, in contrast to private key password, which actually keeps your private key encrypted.
I want sign an APK with a keystore but I dont remember the key password
I have the keystore file
I have the keystore password
I have the alias name
I DONT have the key password (alias one)
Its possible get the alias password without bruteforce?
Thanks in advance,
Yes - you can restore your 'passwords.txt' from backup and look for the password there.
Seriously, the hypothetical possibility to restore the passowrd without long and expensive bruteforce - will brake the cryptography completely.
I have created key hashes as described here (in the end of step 4):-
They tell password is android
It is correct for debug.keystore but I have distr.keystore with different password
Both passwords worked and produced different key hashes when I used them with distr.keystore.
I expected to see: - you have entered wrong password
I think non android password is correct one. But how do I test Key Hash that it is correct Key Hash and another isn't.
u said the both passwords worked with different key hashes , try to use both of them in the facebook side and enter each key hash and try to use your application . it should work if the key hash is right , and the program shouldn't work if the key hash is wrong. but why do u use another file rather than the debug.keystore ?
I am working on a proof of concept related to attestation of a software component ( to be specific, an apk file ) on an android device. To that end I did the following:
I programmatically retrieved the digests stored in META/CERT.SF of an application installed on my android tablet( say maps.apk), belonging to AndroidManifest.xml, resources.arsc and classes.dex.
Then, I computed the SHA-1 digests of these files and after that did base64 on those digests. I was able match these to the ones in step 1.
My question is, where is the role of public key stored in META-INF/CERT.RSA? Aren’t Digests stored in META-INF/CERT.SF supposed to be signed by private key corresponding to the public key in META-INF/CERT.RSA?
The real question is: What is the role of CERT.SF??
The file CERT.SF does NOT contain signed data but it is build from MANIFEST.MF only. This means it does not contain any information that cannot be extracted from MANIFEST.MF.
The CERT.RSA or CERT.DSA (depending on the algorithm used) file contains the actual signature for CERT.SF. To build CERT.RSA from CERT.SF the private key is needed...
-- EDIT --
Sorry. First time I read your question I understood it in another way.
The first step for checking the integrity of the archive is really checking if the hashes in CERT.SF are correct. Next step is to check if CERT.SF itself has been modified.
This is done using CERT.RSA and can be done in two ways:
If you have the public key of the signer of the file you use this key to check the signature; you ignore the public key in the RSA file. In this case you are sure the file has been modified by the person that signed with his private key.
An RSA file always contains the public key and the name/address of the owner of this key. This information is signed using (the same or another) private key. If the person/organisation that signed the key/name in the RSA file can be trusted and you have the public key of the organisation you know at least that the name/address in the file was the person that last modified the file.
For "self-signed certificates" (you do not have a trustable public key) there is no possibility to check the file...
Signing is NOT used to check if the file has not been changed. This would be done just by hashing manifest.mf. The one who has the private key can modify the software in any way!
Martin