-1

I have a client who wants a release version of an APK, but they won't give us the release JKS file to sign it with.

But is it possible to to sign with the release JKS whilst keeping the certificate's password secure ? Or can we just send an APK they can re-sign for under their certificate for release ? Documentation I have found so far assumes you have the control of the release certificate with password or doing something like this.

Or is it a case of sending them an un-signed APK, and let them complete signing ?

angryITguy
  • 9,332
  • 8
  • 54
  • 82
  • thanks for the downvote without reason. If there is a way to improve this question, please suggest – angryITguy Jan 15 '18 at 05:30
  • I believe you can't, because if that were possible, I could upload any release apk as my own. AFAIK, even unsigned apks can't be signed again, as building debug APKs, android studio creates random certificates – Ayush Gupta Jan 15 '18 at 05:37
  • @AyushGupta i understand that you can't let anyone sign any apk and upload it. I was hoping there was something that could allow safe distribution of a release JKS, so authorised parties could sign a specific APK using another subordinate password without compromising the certificate's primary password. – angryITguy Jan 15 '18 at 05:41
  • @AyushGupta Google has their apksigner tool that allows you to re-sign any APK. As you said though, any APK updates to the Play Store will need to match the original signature – Leonardo Casale Jan 16 '18 at 16:31
  • @LeonardoCasale Client must continue to use original signature. We used apksigner in the end. Given the nature of mobile development, and third parties who deliver apps, a secure means of delivering and re-signing an app is something that should be supported by a simple process. – angryITguy Jan 16 '18 at 22:25

2 Answers2

1

You can't. The only (pseudo) way is to delete the app and publish a new one, and it's not right.

You have to let them sign it, then you can release.

Do it right the first time around.

theAnonymous
  • 1,701
  • 2
  • 28
  • 62
  • Thanks.. it's not a question of "doing it right the first time around" but getting the client to use the signing process properly. We have sent them an unsigned "release" build. They will sign it at their end. – angryITguy Jan 15 '18 at 05:45
1

You can use apksigner to re-sign the APK before publishing. This will overwrite the existing signature on the APK and allow your client to keep their JKS secure.

Leonardo Casale
  • 472
  • 5
  • 13
  • apksigner was the best option to deliver it. Would have thought something built into Android Studio would support this, they have firebase support and other IDE processes, (rhetorically speaking), why not this.. – angryITguy Jan 16 '18 at 22:28