7

I have developed an Android app that I am transferring to another person to further development. I have understood that if the new developer uses the same keystore, the seamless upgrade process continues.

How does Android validate the certificate when it is updating apps? Does it just validate only signature or does it compare whole certificates along with the Subject name?

My problem is that the new developer would like to market the app under their company name, not mine, hence the Google account change. But the certificate also contains my name and I would like to generate new certificate with the same private key, which should produce identical signature, but with different Subject in the Cert.

I have not used the certificate for any other apps, so I have no problem giving it away.

PS. Is it at all possible to upload the same application from another Google Account using the same keystore and package name so that seamless upgrade continues?

Laas
  • 5,978
  • 33
  • 52

2 Answers2

5

No, when a certificate is signed the TBS field of the certificate is signed. As you can see the TBS filed contains a Subject field.

 Certificate  ::=  SEQUENCE  {
        tbsCertificate       TBSCertificate,
        signatureAlgorithm   AlgorithmIdentifier,
        signatureValue       BIT STRING  }

   TBSCertificate  ::=  SEQUENCE  {
        version         [0]  EXPLICIT Version DEFAULT v1,
        serialNumber         CertificateSerialNumber,
        signature            AlgorithmIdentifier,
        issuer               Name,
        validity             Validity,
        subject              Name,
        subjectPublicKeyInfo SubjectPublicKeyInfo,
        issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                             -- If present, version MUST be v2 or v3

So, you cannot change fields in the TBS. Either continue without changing the certificate(the subject) or create a new certificate with the other person's credentials. But for that you will have to deactivate your app. And upload a fresh app(not as an update, but as a new app), which I think is not a good solution. So it is better to continue with your certificate.

It doesn't care about the actual 'details' (certificate DN, serial number, etc.), but just compares the certificates as binary blobs as told here. Since the certificates are different, you can't update an app originally signed with cert1 with another signed with cert2.

Community
  • 1
  • 1
Ashwin
  • 12,691
  • 31
  • 118
  • 190
  • 1
    Of course, when I modify `tbsCertificate` field, the existing signature becomes invalid, but I am talking about whole new certificate that contains the **same public key** and is signed itself with the same **private key**. This certificate itself is valid. And as this public key corresponds to the private key that is used to sign both apps, the signature of the apps should pass also. – Laas Nov 20 '12 at 13:23
  • Did you mean that Android uses the `tbsCertificate` field as the basis for verifying the update as the same app? – Laas Nov 20 '12 at 13:26
  • @Laas : A certificate is verified by checking the signature on the TBS field(android or anywhere for that matter). Even if you use the same public-private pair and change the subject name, it will not work. Because now the signature would have changed. And android will detect that there is a signature change and hence will not let you update the app. – Ashwin Nov 20 '12 at 13:48
  • 1
    you are incorrect. When I sign some `thing`, I use my **private key** that I keep secret. Then I publish this signed `thing` along with a certificate that contains my **public key**. To verify my signature, the **public key** from the certificate is used to verify that the signature is in fact made with my **private key**. – Laas Nov 20 '12 at 13:59
  • @Laas : See this post(see comments also) - http://stackoverflow.com/questions/10938298/how-does-androids-app-signature-verification-work/10942302#comment18434028_10942302 It says that 1) App signature is checked 2) then compare the singing certificate as a binary blob to the one of the currently installed version of the app to make sure that the two versions have been signed with the same key/certificate (e.g., by the same person/company) – Ashwin Nov 20 '12 at 14:11
  • When my certificate expires, I can issue another and people can use that to verify the signature on the `thing` as long as I used the same **public-private keypair** in the new certificate. This is how it is in general use case. Now, Android could also suffice with comparing the signatures on both versions of the app and declare that as long as they are made with the same **private key** they are the same app. But my question was: does Android check anything else, besides signatures _of the app_? – Laas Nov 20 '12 at 14:11
  • if you move the last comment into the answer, I can accept it - that's just what I was looking for. Thanks. ;-) – Laas Nov 20 '12 at 14:15
0

You cannot change details of already issued certificate nor issue new certificate as drop-in replacement for your old certificate. So basically if your application is already released you either stick with the cert you used or you need to drop the certificate which in this case means you need to release new application (not the update).

Marcin Orlowski
  • 72,056
  • 11
  • 123
  • 141