17

How do I sign an APK with more than one certificate, so that I can do this when I publish to the Android Market:

Version 1.0 => Signed with Certificate A
Version 2.0 => Signed with Certificate A & B
Version 3.0 => Signed with Certificate B

The Android Market does give me some hope but I am not sure what to make of it, when I upload with a different sign certificate it gives me this message:

"The apk must be signed with at least one certificate in common with the previous version."

Motive:
I have published an app on the market using the Android Signing Tool as part of MotoDev Studio for android. The problem is that it handles the keys itself and there is no way (documented) to get them. I want to change it to use a keystore and certificate that I have more control of and can use even if I don't use MotoDev Studio anymore. Also it seems that MotoDev Studio will lock you out of new features such as shared libraries.

UPDATE 5/3/2011:
They have been actually really quick and prompt at updating MotoDev Studio but it seems like I believe that Google should still provide a work around for those that want to change the certificates of their applications. Updating application to all use the same certificate, creating new ones over time, and possibly creating a new one so that you may hand of the support and distribution of your application to others.

ddcruver
  • 911
  • 1
  • 7
  • 12

3 Answers3

14

If you want to sign an APK more than once, just do so.
But note that Google Play does not accept APKs with multiple signatures.

eg. You can sign an APK from the command line using jarsigner like so:
jarsigner -keystore original-keystore my-app-unsigned.apk key-alias alias

Then just repeat this with the second key:
jarsigner -keystore new-signing-keystore my-app-unsigned.apk key-alias

Don't forget to run zipalign afterwards:
zipalign -v 4 my-app-unsigned.apk my-app.apk

I just re-read the part about MotoDev studio. In that case you can just sign the APK first using MotoDev as usual, then sign with your new key on the command line as above.

Christopher Orr
  • 110,418
  • 27
  • 198
  • 193
  • Ok I will see if the Android Market will accept it assigned with the old certificate then the new one and then upload another update with just the new one and see if it works. That is what I was thinking but I am new to code signing in general and it does not once mention a way to change certificates. – ddcruver May 23 '10 at 17:51
  • Well at least in the Android Docs. – ddcruver May 23 '10 at 18:06
  • 2
    Seems to work just fine, this seems to be THE way to change the certificate on an Android Market application. – ddcruver May 27 '10 at 03:16
  • 2
    Just wanted to update this, it works fine but ALL your users will have to uninstall and reinstall there applications in order to upgrade. This issue I assume needs to be address by the android market some time in the future. I wont be changing anymore of my certificate over because it is an annoyance to my customers. – ddcruver Jun 05 '10 at 19:35
  • 7
    I just tested this process today - it looks like the Marketplace portal has been updated to check for a complete 1-1 certificate match, so this upgrade approach to certificate no longer works. The error message is now "The apk must be signed with the same certificates as the previous version." – cistearns Mar 01 '11 at 03:19
  • @cisteams: That's great news. We've actually seen problems with signing with two certs. Glad to see the Market now blocks it. – Christopher Orr Mar 01 '11 at 13:42
  • @ChristopherOrr I make signed apk file from command line. Now I want to zipalign this apk file. Where I can found zipalign package. Please let me know. – Md Maidul Islam Jul 22 '15 at 09:13
  • @Maid786 zipalign is in the Android Build Tools package. – Christopher Orr Jul 22 '15 at 12:31
  • @ChristopherOrr Do you know if the multiple signature restriction of google play store is also a restriction of f-droid? – Rob McFeely Feb 25 '16 at 15:33
  • @RobMcFeely Sorry, I don't know about F-Droid. But it's probably immaterial whether app stores accept APKs with multiple certificates, as I imagine Android devices likely won't accept the A / A+B / B scenario mentioned in the question to attempt certificate migration. – Christopher Orr Feb 25 '16 at 15:39
  • @ChristopherOrr Thanks. Our problem is not the A / A+B / B over different version scenario but rather we have a need to publish apks through our own f-droid with 2 signatures X and Y (no change over time). I'm trying to find out whether f-droid will not like it. – Rob McFeely Feb 25 '16 at 16:16
4

I was really pleased to see this post until I saw @ddcruver's comment (2010-06-05) and @cistearns' comment (2011-03-01).

However, there's actually a major security issue with the transition method you describe (if it were to work how you'd expect), making it fairly trivial for an attacker to replace your app if they can get your users to install their stuff:

  • You release your app signed with certificate A.
  • The attacker obtains the apk, additionally signs it with certificate M, and distributes the app.
  • The attacker can then release a malicious app signed with certificate M to replace yours and get access to any data it may be storing.

Normally, if an attacker tried to replace something, the install would refuse unless the original is removed - at which point the data is wiped.

On the other hand, there are still several valid use-cases for transitioning a key/certificate: key renewal, hand over to another developer, etc.

This could be done more securely by authorising the transition to a new key from the old key. Please see the issue in the Android project.

James Haigh
  • 1,192
  • 1
  • 12
  • 25
  • "The attacker obtains the apk, additionally signs it with certificate M, and distributes the app." -- which, based on the comments you cited, appears to be blocked by the developer console. – CommonsWare May 12 '12 at 23:47
  • Yes exactly. As it stands, it's not a security issue. I'm saying if it /were/ possible to transition a key that way, then it /would/ be a security issue. – James Haigh May 13 '12 at 00:43
  • Note also that Google Play (and the developer console) isn't the only way of distributing apk files. – James Haigh May 13 '12 at 00:56
2

I had the problem today and here is what I did:

  1. Backup the old motodev.keystore file
  2. Use a recent motodev studio (2.0.1) to change my motodev.keystore password (change it in the motodev view where you can import a keystore)
  3. Convert the motodev keystore file (of type JCEKS) to a regular android keystore file (of type JKS) using the keytool.exe program bundled with java:

keytool -importkeystore -srckeystore motodev.keystore -srckeystoretype JCEKS -destkeystore android.keystore -destkeystoretype JKS

Now the android.keystore file can be used in the Google Eclipse plugins to export your application to a signed APK

Vincent Mimoun-Prat
  • 28,208
  • 16
  • 81
  • 124