Sign application with several certificates

Question

Hi,

From the signing documentation at http://developer.android.com/intl/zh-TW/guide/publishing/app-signing.html:

When the system is installing an update to an application, if any of the certificates in the new version match any of the certificates in the old version, then the system allows the update.

This indicates that an application can be signed with multiple certificates.

This is an interesting option to allow multiple entities to sign an application. e.g: A system application which was initially signed by the device's manufacturer. Further updates could be signed by the developer.

Am I misreading the documentation or is this really possible? If so, how?

Is there any other way for an application to support different certificates and with that, having two or more entities sign it?

Thanks,
Rúben

Answer 1

Hi,

I found a solution for this, not that pretty but a solution nonetheless.

A signed apk file consists of:

• Files signed with a given certificate
• a META-INF folder with the public certificate key

To have an apk with multiple certificates:

• Each party signs the apk
• The META-INF contents of each apk are collected
• a new apk (this is just a zip file) is created and the META-INF folder contains all the certificates

This will allow any of the signing parties to update the apk.

One note, there is no possibility to add certificates in an update.