metachris.org

Here’s a brief but important advice for Android app developers: starting with your first app, prepare for the situation where a company wants to acquire one of your applications. Use a unique signing key (alias) for each app! Else you’ll be forced to either cancel the acquisition or hand out the key you use for other apps as well.

http://developer.android.com/guide/publishing/app-signing.html:

The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application’s developer. The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications.

Android apps must be signed with a private key before releasing, and the key has to stay the same for later updates to be accepted by the Android market. A private key is generated and stored in a Java keystore by using the standard Java tool Keytool (one keystore can contain multiple keys). Jarsigner is used to sign the app with a key from a keystore.

The following keytool command creates a new key called “app1” inside a keystore file called “my-release-keys.keystore” (creating the keystore it doesn’t already exist):

$ keytool -genkey -v -keystore my-release-keys.keystore -alias app1 \
 -keyalg RSA -keysize 2048 -validity 10000

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  Chris Hager
What is the name of your organizational unit?
  [Unknown]:  metachris.org
What is the name of your organization?
  [Unknown]:  metachris.org
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:  PA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Chris Hager, OU=metachris.org, O=metachris.org, L=Unknown, ST=PA, C=US correct?
  [no]:  yes

Generating 2,048 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 10,000 days
	for: CN=Chris Hager, OU=metachris.org, O=metachris.org, L=Unknown, ST=PA, C=US
Enter key password for 
	(RETURN if same as keystore password):
Re-enter new password:
[Storing my-release-keys.keystore]

To generate and add an additional key simply issue the same command with a different alias. To list all keys inside a keystore you can use “keytool -list -keystore <keystore-filename>“:

$ keytool -list -keystore my-release-keys.keystore 

Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

app2, Dec 17, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): A4:C9:3E:E7:6A:B3:AB:73:45:B1:0D:2B:3B:11:CA:78
app1, Dec 17, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): 70:9C:55:BB:A9:EE:10:CB:6A:DA:4A:C0:93:46:43:65

Now imagine a company acquires one of your apps (let’s say “app1″ for this example) and needs to get the certificate key so they can submit updates to the Android market. Keytool provides all the functionality we need; the following command exports the key for app1 into a file called app1.key:

$ keytool -exportcert -alias app1 -keystore my-release-keys.keystore > app1.key

The company can now import this key into their own keystore with the following command:

$ keytool -importcert -file app1.key \
 -keystore company-release-keys.keystore -alias app1

Enter keystore password:
Owner: CN=Chris Hager, OU=metachris.org, O=metachris.org, L=PA, ST=PA, C=US
Issuer: CN=Chris Hager, OU=metachris.org, O=metachris.org, L=PA, ST=PA, C=US
Serial number: 4d0bb498
Valid from: Fri Dec 17 20:06:00 CET 2010 until: Tue May 04 21:06:00 CEST 2038
Certificate fingerprints:
	 MD5:  70:9C:55:BB:A9:EE:10:CB:6A:DA:4A:C0:93:46:43:65
	 SHA1: 3B:60:28:C5:9F:AD:2E:D6:1D:E1:8B:88:C8:04:BD:43:87:DF:D4:9D
	 Signature algorithm name: SHA1withRSA
	 Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore

I have just recently experienced the situation of a friend which signed multiple distinct apps with the same key and got an acquisition offer for one of them. He did accept, although he needed to hand over his primary key used for five other apps as well.

I hope this post might help to avoid a similar situation for other developers.