11

I read this article about signing your Android applications. I used Eclipse to export my Android application, had to create a keystore (which succeeded) and a private key with an alias (which also succeeded). So I know that I have to sign the application with a private key.

However, the article does not make clear anything on the following questions:

  • What is a private key?
  • Should each application you make have another key or should they share the same private key?
  • What is an alias?
  • Why do the applications have a validity lifetime?
MC Emperor
  • 22,334
  • 15
  • 80
  • 130
  • 1
    @downvoter: Please leave a comment to explain the downvote. – MC Emperor May 07 '13 at 19:01
  • 1
    Not my downvote but you should get a lot information about Public/Private keys at [Wikipedia](https://en.wikipedia.org/wiki/Public-key_cryptography). – nkr May 07 '13 at 19:03
  • 3
    I think it's a valid question, he's not asking for technical information about pub/private authentication so much as practical implications in the android context. – Jay Bobzin May 07 '13 at 19:05

2 Answers2

11

A private key is a cryptographic tool that verifies you are the owner of the app. Any build that is being updated to the Google Play store must be signed by your private key to prove it is a legitimate build.

So each different application that you want to upload to the store should have its own private key. If you ever lose this key, you will not be able to upload any new versions of your app, so make sure to store it somewhere safe and make backups!

However, you can store multiple private keys in the same keystore for convenience. (Although I do not, I find it more convenient to have a different keystore for every project as well.)

An alias is simply an easy to read name for the key. Nothing more or less.

It's worth noting, when you do an Eclipse "Run", it uses something called the debug key to run the application. This works fine because you are not trying to upload this build to the store, but this is why you need to use a separate build process to build your application for deployment.

The lifetime validity is a technical requirement. Just set it way in the future and don't worry about it.

Jay Bobzin
  • 1,020
  • 8
  • 14
  • Hey, so just to clarify there is one key store and a private key for each app I publish? For example. One private key for App A and another private key for App B. And if I want to publish update for App B I use app B's private key and not app A? Thank you reading and writing this answer – user3364963 Oct 29 '14 at 22:38
  • 1
    Yes, you should have a private key for each app. I also recommend having a separate keystore for each app, so that if you ever want to give someone access to just one of your private keys, you can easily do so. But you *could* have two private keys in the same keystore. – Jay Bobzin Oct 29 '14 at 22:44
1

Signing is like a certificate for your Android application (think web certificates to have some idea) - it proves that you're the owner of that application. Every app must be signed, as the link you provided clearly says.

In theory, every application from a developer should be under the same signature (after all, it's >your< signature, not the app's)

The alias is just that: an alias for your key, which you use to refer to the keystore when signing the application.

And about the lifespan, not everything lasts forever. Those signatures (or certificates if you will) can last over 25 years. Not something you have to worry about.

fcm
  • 6,305
  • 5
  • 24
  • 37