At this Android Developers link it is stated that
The value of ANDROID_ID does not change even if a system update causes the package signing key to change.
Can a system update change an app's package signing key? And if so, how?
The only way a system update could change a package's signing key is if that package is in the system image. A normal app (that is, one downloaded from the app store that is not part of the system image) would not have its signing key changed.
That is to say: a system update, without a factory reset or a reinstall of the app, will not change the app's ANDROID_ID, and it won't change the signing key either, except possibly if that app is included with the system image.
I need help with signing Android Native app with existing .p12 certificate generated for Adobe Air. Application was done in Adobe Air few years ago, signed and published to Google play. Now when moving from Adobe Air to Android Native, in order to upgrade app to the new version on store, it needs to be signed with the same private key. The problem is that it is not possible to open/read the key via keytool on newer versions of java. Trying to read the .p12 certificate will return:
java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): Redundant length bytes found
or
keytool error: java.io.IOException: Invalid keystore format
depending on a command I'm trying to execute.
(1) Asking old friend Google didn't bring much, but more frustration. I did like it was suggested in jira ticket of openjdk, i tried to use OpenSSL to fix redundant bytes in this way:
openssl pkcs12 -in pkcs12-file -out key-and-cert -nodes -passin pass:abcXYZ
openssl pkcs12 -in key-and-cert -export -out new-pkcs12-file -passout pass:abcXYZ
This commands will execute successfully, BUT, the generated SHA1 key (...:F7) will not be the same as original one (...:E5)! That actually is not a surprise, since changing any part of the file(like removing redundant bytes) will end in different SHA key. Ok, so obviously this is not a solution.
(2) Next thing I tried, was to extract private key and certs as plain text(.pem) files from my original .p12 certificate, in order to try to create a new .jks file. So I managed to extract my private key, and my certs from original .p12 certificate into plain text. Then using keytools and openssl I tried to create my new .jks file with original data as mentioned here:
How to Creat JKS KeyStore file from existing private key and certificate
Well, it worked in a way that my new .jks file was created, BUT the SHA1 key (again ...:F7) was not the same as the original one (...:E5).
(3) My next step was reading and looking a much more over the internet. Found some solutions that are suggesting that conversion was last working in java 1.8.0_111, and every distribution of java above that had the same problem. So, let's install java 1.8.0_111 and give it a shot. Sure, it didn't worked. The problem stayed the same. Also tried in java 1.10, and Oracle versions, still not working
(4) Last thing I did, I installed java 1.6 and tried with it, and there was no problem, it worked perfectly, i managed to read the .p12 with no problem, convert it to .jks with no problems at all, worked like a charm. Generated SHA1 key (...:E5) was the same as the original one (...:E5)!!!
BUT, the problem is that application I need to sign with that certificate is developed with java 1.8, and java 1.8 can't read that certificate. So I'm quite frustrated at this point, since it's already couple of days I'm losing on this problem.
So, can't read it, can't regenerate it, can't sign the app ...
So my question is: is it possible, and if it is, how to sign Android apk with .p12 certificate?
I'm not sure how common this problem is, but any possible help is more then welcome.
I finally did manage to find the best solution to this problem that I was facing. And actually the solution was right in front of me, with a little bit of effort.
I tried switching to java 1.6 version just to sign the app, and actually I did manage to do the signing. Afterwords i would transfer the app again to 1.8 java environment and did the zipalign, successfully! When I managed all of this, i was really happy, hoping Google Play will finally accept the apk.
My hope died as soon as I uploaded the apk to the store. Google Play said that not all the files were signed and that I need to upload apk with all files signed. Can you imagine the level of frustration?
My problem was i had old .p12 certificate that was not possible to read in AndroidStudio or to convert to jks, but I was able to extract my private key, and my certificate from that file.
After I tried to look around a bit more, I managed to find the solution with apksigner tool.
Actually what i did was, I built an .apk signed with debug key, and after that just used apksigner tool, provided with my private key and certificate file, and finally the apk was signed. Then I was able to upload the apk to the Google Play Store with no problems.
The command that I used to sign the apk with apksigner tool is:
./apksigner sign --key <your_private_key_in_.pcks8> --cert <your_certificate_in.der> <your_debug_signed_application_in.apk>
Here it is necessary to notice that your key has to be in .pcks8 format, otherwise the command wont work. Also apksigner was run as script on linux, thats why "./" before apksigner. If you have this tool on windows or installed on some other way, you should be good to start command just with apksigner.exe or apksigner.
If you have your key in plain text (.pem) format, transfering it to the .pcks8 format can be done with openssl command:
openssl pkcs8 -topk8 -inform PEM -outform DER -in <your_private_key_in.pem> -out <your_private_key_in.pcks8> -nocrypt
Hate to be the bearer of bad news, but this is one of the reasons why version control is paramount in enterprise environments. When things update, builds can break.
There are three things I thought of which I didn't see listed above:
1] If you are using an IDE like Android Studio or IntelliJ, you could try breaking your project down into Java 1.8 code and Java 1.6 code. For example, you could create a keystore-signing module, and then add gradle commands for it to build using Java 1.6, while the rest of your project modules build using Java 1.8.
2] You could try creating your own signing class, and make direct calls to Java 1.6 classes which you could add manually to your project.
3] You could use a new keystore, change your package name, and point your former store listing to your new Java 1.8 app. This is probably the least preferable as it would be considered a new app on the store.
We could not sign our apps with legit certificates. So instead we published using a self-made certificate to compile / publish the app. Then we used Microsoft's Signtool(.exe) to do the job. Worked like a charm.
Three years ago I made my first Android application and signed it with my keystore and uploaded on playstore.
Well that time I shared my keystore with my college friends
Now I made a update for my application and I want to make it secure so no one other than me can place a update or cannot do anything wrong with my work. Well that app is published using my college account so anyone can access that account. They can't delete (college rules) but still they can experiment on my application.
Is changing the keystore password will help? Anything I can do in this situation? I have my original key with me. If there is no way to make it secure then definitely I don't want to waste my time on updating.
You cannot change your keystore. Each app is linked to one.
I tried looking up what an Android key hash on Google.
But all I got was how to generate it, not what actually what it is. Can anybody give a simple explanation of what this key hash actually is and why Facebook needs you to generate one to run samples and your own application?
Can anybody give a simple explanation of what this key hash actually is..
The key hash is a machine specific security check for authenticity. If you use multiple machines for development of the application, you need to add and save multiple key hash to your profile to authenticate every machine.
From the Facebook Documentation page:
..The key hash is used by Facebook as a security check for authenticity. By default, the app's package is signed with a machine specific debug key. When publishing the app it is typically signed with a different, release key. Therefore, you want to make sure you have the hashes of all the related keys set on Facebook...
...Note that you can add multiple key hashes here if you are developing with multiple machines. You will now be able to compile and run all of the authentication-based samples on your emulator without issue.....
(Emphasis mine)
Why does Facebook need you to generate one in order to run samples and your own application?
It's an authentication key to identify registered developers.
How to get key hash of your device?
If your using eclipse then go into window menu > preferences > android > build >
then on right side you will get your machines md5 and sha key which is your
hash key for facebook i think you need to provide your SHA key as a hash key for facebook
this is the very simple way to get your key hash rather than complex command tool process
what is key hash?
it is key associated with your device which is unique key to identify your device so when you provide it to facebook (in your case facebook) then they generte application key against your keyhash so only your machine able to generate the apk with runable output i mean facebook functionality will able to run with its full functionality
such kind of key hash also needed in google project also
NOTE: Never disclose your keyhash to anyone
hope this information will clear your doubts happy coding :)
One of my Android applications relies on another package to be installed as a license key. I could have gone with in-app purchases but key/license is the same for many of my apps.
In order to unlock some paid functionality in my app, I check for the existence of the package com.example.license. This works just fine but in order to add a an extra layer of rigidity, I would like to check that my package and the licence key package are signed by the same key be it debug or release. How can I check this? Is it as simple as calling PackageManager.checkSignatures?
here: Get certificate fingerprint from android app I've put some example how to get certificate from application. You just need to run this code against your app and the license package (just replace this.getPackageName with the com.example.license)