1

I have been developing my Android App on Linux and Eclipse for a year now. Decided to switch to windows for a number of reasons. Jumped through all the hoops, and now have my App building and exporting fine in Windows. ADT accepts and uses my developer certificate - store password and key password work fine.

The resulting App installs fine on real devices, and appears to be signed fine, but Android Market will not accept upload of the App update with the following error:

"The apk must be signed with the same certificate as the previous version"

Going back to Linux, I generate the APK and can upload it fine. Obviously the tool chain is generating a different binary. Verified using diff.

I am using the same version of Java on both platforms. I'm exporting using the same keystores and the same passwords. On running jarsigner -verify I get the following:

Windows:

  X.509, O=VoltUp, C=US
  [certificate is valid from 11/17/10 10:28 AM to 10/24/10 11:28 AM]

Linux:

  X.509, O=BatteryStorm Mobile Inc, C=US
  [certificate is valid from 10/25/10 12:04 AM to 10/17/40 12:04 AM]

So obviously O= has changed. How could this be?

durron597
  • 31,968
  • 17
  • 99
  • 158
Yossi
  • 1,226
  • 1
  • 16
  • 31
  • http://stackoverflow.com/questions/2505081/android-certificate-changed – Yossi Nov 13 '11 at 22:06
  • 1
    You *did* transfer your "release" app signing certificate from the old to the new environment, didn't you? – JimmyB Nov 13 '11 at 22:54
  • Of course. It is checked into my source control system and it was restored fine. ADT accepted both store password as well as cert. passwords. BTW, did a diff on the binaries. 99.9% the same. Proguard data is different though. One additional item: using JAVA 7 on Windows, JAVA 6 on Linux. – Yossi Nov 14 '11 at 00:09
  • See http://stackoverflow.com/questions/8036422/android-signing-with-ant/8225017#8225017 – FeelGood Nov 22 '11 at 10:20

2 Answers2

4

Binary diffs will reveal nothing. Use jarsigner to check the differences in the actual signatures:

jarsigner -verify -verbose -certs app.apk

Most likely the reason for your problem is that the default digest algorithm for jarsigner has been changed to SHA256 in Java 7, if you specify SHA1 explicitly with -digestalg SHA1 you should get the same signature (or just use Java 6). Android, and the Market, compare the signature as a binary blob, and really don't care about the actual certificate at this point, that is why it complains. Technically, if it is signed with the same key by the same person (certificate), it should be considered a valid signature. Not letting you change the digest algorithm to a more secure one should be considered a bug.

BTW, I don't think ADT officially supports Java 7 yet.

Nikolay Elenkov
  • 52,576
  • 10
  • 84
  • 84
  • Thank you! Indeed JDK 7 is absent from http://developer.android.com/sdk/requirements.html . Jarsigner reports same signature for both APK's. Any idea on to modify the ADT use of jarsigner to include the digest algorithm selection? Or must I install JDK 6 for Android? – Yossi Nov 14 '11 at 10:33
  • It seems jarsigner doesn't report the signature/digest algorithm, just the certificate DN. I don't think you can pass options to jarsigner if you use ADT. You can export an unsigned package and manually sign it using jarsigner. Cf. http://developer.android.com/guide/publishing/app-signing.html – Nikolay Elenkov Nov 14 '11 at 13:07
  • See also: https://groups.google.com/forum/#!topic/android-developers/JMQsdsKr7-0 I confirm that using JDK 6 instead of 7 fixed the problem for me. – BoD Nov 17 '11 at 17:55
0

DUH!!! I made a stupid mistake with my revision control and was using the wrong version of my key store ... ignore this!

Yossi
  • 1,226
  • 1
  • 16
  • 31