0

I'm trying to update my Android app, but I forgot the keystore password.

When I type keytool -list -v -keystore keystore.jks, I'm requested to enter a password, and when I hit enter for the empty password, I see

Alias name: xxxx
Creation date: Jun 24, 2020
Entry type: PrivateKeyEntry

for all other passwords I get keystore password was incorrect

Now I want to change my password, so I type keytool -storepasswd -keystore keystore.jks, and when I'm requested to enter a password - I hit enter for an empty password, and I get an incorrect password exception.

I can not get it, if my password is empty, why I get an incorrect password error when I change it. If my password is not empty, why do I see the list of keys when I enter an empty pass?

I do also have some private key, maybe it can help

a3dsfcv
  • 1,146
  • 2
  • 20
  • 35
  • no, because the question is: if my password is empty, why I get an incorrect password error when I change it. If my password is not empty, why do I see the list of keys when I enter an empty pass? – a3dsfcv Jun 15 '21 at 21:37
  • 1
    The only thing that is private in a keystore is keys. Certificates are public documents, as is everything inside them. So there is no reason to password-protect them. The only time you need a password for a keystore is to access a key entry. They have also built-in that if you supply a password the keystore's integrity is verified. As to how to recover it, you can't. It isn't in there: only a hash. You will have to either remember it, guess it, or start again. – user207421 Jun 16 '21 at 00:46

2 Answers2

1

I can not get it, if my password is empty, why I get an incorrect password error when I change it. If my password is not empty, why do I see the list of keys when I enter an empty pass?

The list of key names and dates is not considered to be sensitive information.

According to the Oracle keytool documentation:

"The password must be provided to all commands that access the keystore contents. For such commands, when the -storepass option is not provided at the command line, the user is prompted for it."

"When retrieving information from the keystore, the password is optional. If no password is specified, then the integrity of the retrieved information cannot be verified and a warning is displayed."

I agree that this is unclear, but it to me it implies that --list which just retrieves information rather than keystore content does not require a password ... as we observe.

As for the case where you supply the wrong password. Well, if you supplied a password and it was wrong, the keytool command should give you at least an error message. If it was to proceed an give you a listing anyway, that would be (IMO) rather odd.

But the bottom line is that keytool behaves like it does in this edge-case. Knowing precisely why doesn't help you solve your problem with your lost password. (I think that the only route to solving that is to attempt to brute-force the password.)

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
0

I have no explanation for the apparent inconsistency (I haven't done Android development in a while), but if it turns out that you just need to recover your password, that is sometimes possible depending on your platform and other circumstances. See the methods in the answers to this question.

Trevor Angle
  • 1
  • 1
  • 2