98

Is the keystore the actual certificate, or is the alias the certificate?

If I use a different alias to sign my app, will it mess up updates on the market? Or would I need to sign my app with a different keystore to mess things up? And where is the info under alias viewable from?

Julio Gorgé
  • 9,998
  • 2
  • 43
  • 60
Roger
  • 4,041
  • 7
  • 38
  • 58

1 Answers1

129

The keystore file generated by Keytool stores pairs of private and public keys. Each pair or entry stored in the keystore is refered by a unique alias. In brief:

Keystore entry = private + public key pair = identified by an alias

The keystore protects each private key with its individual password, and also protects the integrity of the entire keystore with a (possibly different) password.

For instance, when you sign an Android application using the Export Signed Application Package option of the Eclipse Android tool, you are asked to select a keystore first, and then asked to select a single alias/entry/pair from that keystore. After providing the passwords for both the keystore and the chosen alias, the app is signed and the public key (the certificate) for that alias is embedded into the APK.

Now to answer your question, you can only release an update to an application that was signed with the alias 'foo' by signing the update again with the same alias. Losing the keystore where your alias is stored would prevent you from releasing an updated version of your app.

There is however a way to sign an app with a new alias, but it involves cloning an existing alias in the keystore using keytool -keyclone:

Creates a new keystore entry, which has the same private key and certificate chain as the original entry.

The original entry is identified by alias (which defaults to "mykey" if not provided). The new (destination) entry is identified by dest_alias. If no destination alias is supplied at the command line, the user is prompted for it.

If the private key password is different from the keystore password, then the entry will only be cloned if a valid keypass is supplied. This is the password used to protect the private key associated with alias. If no key password is supplied at the command line, and the private key password is different from the keystore password, the user is prompted for it. The private key in the cloned entry may be protected with a different password, if desired. If no -new option is supplied at the command line, the user is prompted for the new entry's password (and may choose to let it be the same as for the cloned entry's private key).

More information:

http://download.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html

http://developer.android.com/guide/publishing/app-signing.html

EvilTeach
  • 26,577
  • 21
  • 79
  • 136
Julio Gorgé
  • 9,998
  • 2
  • 43
  • 60
  • 3
    The dev site suggests using the same certificate for all your apps. So does this mean, as long as I'm using the same keystore, I can use any alias with any password and it won't mess up updates, as it's just a reference? The actual keystore is the important part? – Roger Apr 20 '11 at 02:39
  • 1
    I rewrote my answer to be more accurate. In short, you must indeed use the same alias to sign all the updates of your application. – Julio Gorgé Apr 20 '11 at 02:52
  • 2
    @Julio So would the best practice be to use the same alias for all the different Apps you want to publish, as the dev site suggests? I don't see a reason to create a separate alias for all your Apps. – Tony Chan Aug 31 '11 at 00:08
  • @JulioGorgé-Hey, I just wanted to know that R alias-name case sensitive..?? – Name is Nilay Feb 20 '13 at 07:10
  • @JulioGorgé do you mean the same alias or the same key. Alias is just a name, I can rename the alias. You can release an update to as long as the keys (public keys to be specific) in the app match. – Dheeraj Bhaskar Sep 11 '14 at 09:05
  • Alias is NOT case-sensitive – nanosoft Dec 18 '14 at 03:46
  • Do I need to sign ALL ( I mean Different apps) my APP with the same ALIAS ? Each time I sign, do I need to put the same ALIAS (using same password) for all my apps? If I sign a new app with the SAME ALIAS, will the public and private key be different for that new app ? – Tanvir Mar 17 '15 at 14:49
  • @Roger The answer here suggests that using different aliases for different apps or groups of apps would make sense in case you sell your app. http://stackoverflow.com/a/37173660/745776 – juil Jun 02 '16 at 02:55