views:

185

answers:

1

When exporting a signed Android application using Eclipse, is there a purpose to using multiple aliases? According to the official guide about signing, it's recommended that you sign all applications with the same certificate to allow your applications to share data, code and be updated in modular fashion. Assuming that "alias", "key" and "certificate" are essentially interchangeable in this context, is there a reason why someone would want to use different aliases for all their applications? The only reason I can think of is that it adds more security to your applications, in the sense that a compromised key/password doesn't compromise everything. Are there other reasons?

Also, is the generated key dependent on the name of the alias? In other words, if you change the name of the alias but not the password, would the generated certificate be different?

Thanks.

+1  A: 

Aliases and passwords don't affect the certificate - you can change those at will.

There are a couple of reasons I can think of in which you may end up with multiple certificates, although they're probably both a bit of a stretch!

If you need two (or more) developers to be able to make releases (independently of each other/a third party/etc), you'd have to share the private key and password for signing the APK. If you have 3 projects and only collaborate on one of them, you probably don't want to be sharing a single key which lets them sign releases for all three of your projects, so you'd have separate keys in your keystore.

Of course, ideally, you wouldn't be sharing private keys, and you'd only have one person making releases. This can still give rise to a situation where you'd need to sign different projects with different keys - if I'm the person who signs releases for BigCompany, I'm going to have one certificate in the name of BigCompany which I use to sign their releases, and my own certificate to sign anything I do myself.

You also have to remember that the keystore is a generic Java construction - there are lots of non-Android uses for it which would entail having multiple certs.

Chris Smith