142

This is a general question, but particularly I am interested in it's use for Android. What is a keystore file, and what is it used for?

Can multiple Android applications use the same keystore to sign their application (what exactly does it mean to "sign" an .apk?), and what are the implications (if any) of this?

jww
  • 97,681
  • 90
  • 411
  • 885
Christopher Perry
  • 38,891
  • 43
  • 145
  • 187
  • 1
    You seem to be conflating two topics. First is the keystore, and second is APK signing. Also see Nikolay Elenkov's [Android Security Internals: An In-Depth Guide to Android's Security Architecture](https://www.amazon.com/dp/1593275811). – jww Jun 04 '17 at 08:55

4 Answers4

150

The answer I would provide is that a keystore file is to authenticate yourself to anyone who is asking. It isn't restricted to just signing .apk files, you can use it to store personal certificates, sign data to be transmitted and a whole variety of authentication.

In terms of what you do with it for Android and probably what you're looking for since you mention signing apk's, it is your certificate. You are branding your application with your credentials. You can brand multiple applications with the same key, in fact, it is recommended that you use one certificate to brand multiple applications that you write. It easier to keep track of what applications belong to you.

I'm not sure what you mean by implications. I suppose it means that no one but the holder of your certificate can update your application. That means that if you release it into the wild, lose the cert you used to sign the application, then you cannot release updates so keep that cert safe and backed up if need be.

But apart from signing apks to release into the wild, you can use it to authenticate your device to a server over SSL if you so desire, (also Android related) among other functions.

Gaurav Agarwal
  • 18,754
  • 29
  • 105
  • 166
Otra
  • 8,108
  • 3
  • 34
  • 49
23

Android Market requires you to sign all apps you publish with a certificate, using a public/private key mechanism (the certificate is signed with your private key). This provides a layer of security that prevents, among other things, remote attackers from pushing malicious updates to your application to market (all updates must be signed with the same key).

From The App-Signing Guide of the Android Developer's site:

In general, the recommended strategy for all developers is to sign all of your applications with the same certificate, throughout the expected lifespan of your applications. There are several reasons why you should do so...

Using the same key has a few benefits - One is that it's easier to share data between applications signed with the same key. Another is that it allows multiple apps signed with the same key to run in the same process, so a developer can build more "modular" applications.

Alexander Lucas
  • 22,171
  • 3
  • 46
  • 43
  • 1
    Hint: another option: I'd recommend using different keystores if they are totally unrelated apps. If you end up selling one of the apps, you can give away the corresponding keystore without compromising the security of your other apps. – Ahmed Nabil Jan 02 '21 at 23:02
11

You can find more information about the signing process on the official Android documentation here : http://developer.android.com/guide/publishing/app-signing.html

Yes, you can sign several applications with the same keystore. But you must remember one important thing : if you publish an app on the Play Store, you have to sign it with a non debug certificate. And if one day you want to publish an update for this app, the keystore used to sign the apk must be the same. Otherwise, you will not be able to post your update.

Raphaël Titol
  • 722
  • 4
  • 13
  • 4
    No, this is wrong. The keystore which you use to sign the apk could be different, but the key which you use to sign the apk must be same. The keystore file just a file which used to store the key and certificate imformation, you can have multiple key entities in same keystore file. – zeleven Jan 27 '20 at 08:29
0

The whole idea of a keytool is to sign your apk with a unique identifier indicating the source of that apk. A keystore file (from what I understand) is used for debuging so your apk has the functionality of a keytool without signing your apk for production. So yes, for debugging purposes you should be able to sign multiple apk's with a single keystore. But understand that, upon pushing to production you'll need unique keytools as identifiers for each apk you create.

HMM
  • 29
  • 1
  • 10
Adam Storm
  • 724
  • 1
  • 6
  • 13
  • You do not need to sign an app to debug it, either in the emulator or on an actual device. – Marcus Jul 27 '11 at 19:13
  • I didnt mean you HAVE to sign it to debug it... but you can use keystore as a test implementation of your keytool. – Adam Storm Jul 27 '11 at 19:17
  • I don't think `keytool` is what you mean. keytool is a java program used to generate keystores. – Otra Jul 27 '11 at 19:22
  • yes you are right, keytool is not what I mean. I guess 'key' is what I mean. I was merely trying to explain to the asker that you can have a communal apk key for debugging, but upon publishing, each apk will need to have unique key's for editing and upgrading. – Adam Storm Jul 27 '11 at 19:26
  • They do not need unique keys though...you can sign multiple apk's with one private key, it is actually preferred that you do so. Could you imagine keeping track of 10 different certs/keys for 10 apps? – Otra Jul 27 '11 at 19:28
  • Well thank you for the information! it was explained to me in a dev lecture that without unique keys you cant update a single apk... I guess you use the key/apkname as unique ID's for your updateservice? – Adam Storm Jul 27 '11 at 19:38
  • Glad to have cleared that up! :) It is true that without a unique key (separate from the debug.keystore that android by default supplies), you can't update, but you only need one, and yes, you'll use that key to update your app. – Otra Jul 27 '11 at 19:42