Our developers will be using both PCs and Macs to create Android apps.
When a KeyStore is generated on a Mac, how do we move it to a PC so that the same app can be edited/built/signed by both Macs and PCs?
I imagine that you can just use a flash drive, no? I'm going to assume you create the keystore using java's keytool, which is cross platform as far as I know. So once you've created your keystore, you just copy it from one computer to the other. When you're ready to sign your app, just navigate to the flashdrive or where ever you copied the keystore from the flashdrive.
Copy/Paste through network or usb memory key ... Keys and Key folder are just folder ...
But your question raise another issue.
Why keys have to be shared accross developpers..
In android development and keys you have 2 roles
1) Publisher
2) Developer/Workers
Publisher will sign final application ready for release to final user/customer
It use development APK files that are unsigned then use publisher key with long validity to sign the package.
Publisher may have several keys but more for business reason.
Developer/Workers will use automatic eclipse generated keys with short validity(1 years) just to be able to test/debug the app on device, these keys should/must not be used for release purposes.
Each worker may have it own keys and can change it when he want
Or each worker should have the ability to sign any final APK they produce, but it can be a security risk.. because any worker may use this final release key (publisher key) anywhere and any application from your command or any other uncontrolled other application ...
Related
I need to upload my own new second Android application in playstore. I know it is possible to use same keystore file. But I don't have idea to use same alias or different alias need to generate for second application for playstore.
Keystore is just container holding your keys (like jar for cookies), so from technical point of view is completely irrelevant if you keep all your keys in single keystore or you have them splited among many (you can even have separated keystore file for each key - nothing prevents that).
Alias is also irrelevant - it's just "human friendly name" for your key, just for your convenience. It also makes no difference technically, however you cannot have more than one keys using the same alias in given keystore:
KeyStore Aliases
All keystore entries (key and trusted certificate
entries) are accessed via unique aliases.
http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html
However you can use the same alias in different keystores w/o any problems.
NOTE: You can technically sign all your apps with the same key but this is strongly discouraged. You should create separate key for each released app - that will make your life much easier when i.e. you will decide to sell your project for instance.
Yes You can use same keystore to upload different apps, if all the apps belongs to you or your firm.
I was just curious if there is a way to get platform.pk8 and platform.x509.pem which are used to sign the rom inside the Android device.
My aim is no more than developing system applications for testing and using my self-owned devices on my desired purpose.
For those who are not familiar with creating system apks: signing an apk with system signature [WITHOUT ROOTING]
No.
At least, not if the person building the ROM knows what they're doing.
From the docs (emphasis mine):
Each key comes in two files: the certificate, which has the extension
.x509.pem, and the private key, which has the extension .pk8. The
private key should be kept secret and is needed to sign a package. The
key may itself be protected by a password. The certificate, in
contrast, contains only the public half of the key, so it can be
distributed widely. It is used to verify a package has been signed by
the corresponding private key.
If your device has an unlockable boot loader, you could build and flash your own ROM, using a key pair that you created yourself. That way, you'll have the platform private key to use for your system app.
I have a signed APK. What I want to do is, access the private key and sign (encrypt) some message using it.
Is it possible to access this private key through my code in run time?
Any sample code to do the same?
Never, ever place you Keyring for signing playstore apks in your app.
Because everyone can extract the keyring from your app and use it.
Best practice is to create a new keypair inside of your app on first start. So every installation of your app has its own keypair. Otherwise your users could encrypt data from other installations, too.
More secure is it, to ask the user for password. Which you can then use to secure the keystore for the newly generated keypair. This way also a stolen keystore of your app is harder to crack, because it has a password which only your user knows.
Very complex scenarios uses a key exchange system, where your user keys are generated and managed by a server application. Transport can be done with AES encryption etc.
Here is good presentation about basic cryptography on android from a good fried al sutton ;) http://de.slideshare.net/AlSutton/2014-droidcon-nlandroidcryptography?ref=https://www.linkedin.com/in/alsutton
I have a keystroke from google for my app. When I try to Export signed application package from eclipse, it gives me an option to either create a new keystore or to use an existing one.
As per my understanding I must use the "Base64-encoded RSA public key" that I got from Google. But there is no way I can download the key directly from the page where google displays it for me.
Can someone please let me know if I have to import it in someway or am I missing something?
Or should I just copy paste the key to some (binary) file in my project? Please help!
I have a keystroke from google for my app.
But there is no way I can download the key directly from the page where google displays it for me.
Which page is that? You shouldn't download a key in order to sign your application.
Or do you mean the debug.keystore which comes with the installation of the Android bundle? You can use it during development, but you need to create your own key when releasing the App. (Google Play won't accept an apk signed with the debug keystore)
If you are not releasing yet and you want to use the debug keytore - search your system for 'debug.keystore'. On Windows it can be in:
C:\Users\USERNAME\.android\debug.keystore
The passwords for the keystore and the android alias are android.
If however you want to create a new key for yourself - you can do that using the provided keytool as described here.
Finally, if you need an additional key for accessing some Google API (eg. Maps) with your App, then from the online developer console you need to create an additional Android key with the same fingerprint, as the one that you are signing the App with. This additional key is typically included in your manifest after that.
For reference, you can create new keys for your App here: https://console.developers.google.com
I am wondering which is the more popular option, Having 1 keystore to sign all the apps you publish, and duplicating that keystore into the cloud and locally to keep it safe, or generating a new keystore for every new app submitted, and keeping copies of all of them?
It seems easier to have 1 keystore for everything, but despite duplicating it, im afraid of it getting corrupted and loosing access to all of the apps.
Whats the best approach for this situation?
If you use the same keystore, it will be easier to make your apps work together. By having them signed with the same key, you can use a shared UID (not really recommended), or use signature based permissions. That would make it possible to export certain data or functionality and restrict access to your own apps only (using a ContentProvider or a remote service). The downside is, that if you loose the key, you'll have to republish all apps.
If you use separate keystores, it's easier to transfer an app to someone else (give them keystore and password). Additionally, you need to re-publish only one app if you lose/corrupt the keystore.
Take you pick, but I'd say: use the same keystore and make lots of backups. I would also use physical media (CD, etc) in separate locations, rather then the 'cloud', but that's your choice too.