1

To build an apk we need a certificate, this certificate contains the public key and also some metadata (like Company, …). The certificate itself is generated through the app signing key.

The app signing key is exactly the same as a keystore entity or? (what I think for now)

And what does one keystore entity contains exactly?

Does a keystore entity stores the „private key + public key + metadata“ inside one entity? or the „private key + metadata (separate)“ and generates the public key through the private key? or only a „private key“ where the metadata are written in and generates the public key through the private key?

Or otherwise? I would really like to know more technical based informations about a keystore entity/app signing key and couldn’t find a more detailed (technical based) description of storage and generation.

Thank you

Google:

"A keystore is a binary file that contains one or more private keys“
"Generate Signed APK […], select a keystore, a private key, and enter the passwords for both.“ https://developer.android.com/studio/publish/app-signing.html

pedrofb
  • 37,271
  • 5
  • 94
  • 142
MJey
  • 345
  • 3
  • 16

1 Answers1

0

A keystore is a container for keys and certificates. An Android Keystore contains the app signing key and the matching certificate.

A cryptographic key pair, public and private is generated randomly. The public key is embedded in an X509 certificate along with some additional attributes such as serial number or common name. The certificate is signed with the private key to ensure the origin and integrity. See Certificate enrollment process

Finally the private key and the certificate can be imported into a keystore file: JKS, BKS or PKCS#12

The apk is digitally signed using the private key contained in the keystore, and the certificate is also included, so you could verify the identity of the signatory and the integrity of the package

pedrofb
  • 37,271
  • 5
  • 94
  • 142