I am building something that is like an app store and its market includes Android mobile apps. I do not own a Google Play Developer Console account (yes, I still don't have that $25) but I do know of course that Google Play heavily uses certificates that are put when the APK was signed for release. I am not very sure with this but I think there are at least two (2) reasons why this certificates are important:
- It is used so that someone cannot upload some people's work. (ex. I won't be able to upload the Google+ APK in my own account because I do not know its certificate details. But I am a little bit confused about this because if what I know is correct, certificates have private and public keys. So, which keys do you give to Google Play? Those who have console accounts can enlighten me about this.)
- I think it is also useful in a way that, if my Google Play Console account was breached, the hacker cannot upload a new malicious update because again, he cannot copy the certificate (or that is what I think at least, but now I am confused because I remembered that certificates have an expiry date so please enlighten me on this one too.)
So now, this is my real problem. As I said earlier, I am making an app store like website that markets Android apps. Now because of what I said earlier about certificate signing on APKs, I also want to make sure that the developers that will upload their apps really own the app (and so that no one will upload for example, Facebook APK which is obviously are not theirs, and another useful thing with it, is there won't be duplicate apps.)
We are using PHP and would like to stick with PHP as much as possible. Is there a way of doing this with PHP and how? And what keys do the developer need to provide (to be used for verification)? Private keys or public keys (I'm a bit confused about this but I am guessing it's the private keys). Thanks!
EDIT:
I stumbled upon this link, can this be implemented in PHP? Sorry, I'm still not very professional on PHP and I do not know whether terminal commands can be run from it.