13

If a signing key expires, do existing apks refuse to install, or does it just mean that new apps can't be signed with that key?

We are recommended to use keys that expire in 25+ years, and Google Play mandates expiry of at least 2033-10-22! However, some people may wish to renew their keys far more frequently than that for security reasons (Moore's law, cracked algorthms, etc.).

If an apk's key has expired, is there any way of installing it (without relying on the developer to re-release)?

Community
  • 1
  • 1
James Haigh
  • 1,192
  • 1
  • 12
  • 25
  • 1
    Note to anyone about to answer: I have now answered my own question in full. I will post it when the 8 hour timer for new users runs out... – James Haigh May 13 '12 at 01:16
  • Does this answer your question? [What is going to happen when the first Android keystore certificates expire?](https://stackoverflow.com/questions/45259955/what-is-going-to-happen-when-the-first-android-keystore-certificates-expire) – Ryan M Nov 27 '20 at 20:10

1 Answers1

5

If a signing key expires, do existing apks refuse to install, or does it just mean that new apps can't be signed with that key?

jarsigner will refuse to use an expired key, and apk's signed with the old key will be refused by Android on install, but apps already installed will continue to run just fine.

https://developer.android.com/guide/publishing/app-signing.html

If an apk's key has expired, is there any way of installing it (without relying on the developer to re-release)?

Yes, the apk can be resigned with your own certificate.

Community
  • 1
  • 1
James Haigh
  • 1,192
  • 1
  • 12
  • 25