Wednesday, January 19, 2011

signing multiple certificates on apk

繼上次更新如何把android裡的key轉成keystore後
http://allstarschh.blogspot.com/2009/08/blog-post.html

這次要來看看 把Apk sign多個certificate的問題

雖然Apk是可以被多個certificate sign的

但是Android Group裡一直不建議用multiple certificates來sign
應該跟指定process(uid)有關就是了


在Android上的document寫
http://neacm.fe.up.pt/docs/android/guide/publishing/app-signing.html


When the system is installing an update to an application, if any of the certificates in the new version match any of the certificates in the old version, then the system allows the update

code就是在
http://android.git.kernel.org/?p=platform/frameworks/base.git;a=blob;f=services/java/com/android/server/PackageManagerService.java;h=86504a095daf999724611f77ec6ba924dc744d7a;hb=refs/heads/eclair-release#l1349

要注意 s1是新的  s2是本來的
所以新的signature裡 只要有一個跟舊的signature中某一個match
就可以install了


不過這件code到froyo上就改了
http://android.git.kernel.org/?p=platform/frameworks/base.git;a=blob;f=services/java/com/android/server/PackageManagerService.java;h=b70d69bab7d81c72e9a84a736befeeb455e61609;hb=refs/heads/froyo-release#l1853

變成用HashSet.equals

所以現在變成兩個apk的certificates要完全一樣(不按照順序)才能upgrade了

PS.
要sign multiple certificates的話應該要用jarsigner了
signapk.jar只能用固定的alias
http://android.git.kernel.org/?p=platform/build.git;a=blob;f=tools/signapk/SignApk.java;h=c4d73c8cfba5a7784b4ad9196e4a388ebd8920df;hb=HEAD#l76

No comments: