Open in app

Sign in

Write

Sign in

Working with Java KeyStore

Djonny Stevens Abenz
Karena Kita Vidio
Published in
3 min readJul 21, 2019

You have two apps on Google Play Store. Which one from the list below that you chose to sign your apps prior to releasing them to Google Play?

  1. Sign all your apps with the same certificate
  2. Sign each app with different certificate in the same Java KeyStore (let’s simply call it KeyStore)
  3. Create a new KeyStore with new certificate for each app

Let’s say you chose the second option.

And then, someone reach out to you, wanting to buy your second app. And instead of killing it, the plan is to develop it further.

Photo by The Framed Bear on Unsplash

That means, you would need to provide the certificate (let’s call it second certificate) to sign said app, so an updated version could be published to Google Play Store. What would you do?

You’re right, this post is about answering that What would you do? question with regards to the KeyStore.

What would you do?

But first, what could you do? What are the alternatives?

  1. Send a copy of the KeyStore, along with the passphrase for the KeyStore and the second certificate. If you’re using the same passphrase for all certificates in the KeyStore, either change the passphrase for the second certificate, or change the passphrase for the rest, as well as the passphrase for the KeyStore.
  2. Create a copy of existing KeyStore, remove all certificates but the second, modify the passphrase for KeyStore, and send the modified KeyStore.

To me, it’s obvious the second option is the better one, as you only share what they need. So, how might we do that?

Copy the KeyStore

$ cp original-keystore.jks second-app-keystore.jks

Remove aliases

Certificate in KeyStore can be accessed through alias.

Unless you remember the aliases for all certificates in the KeyStore, let’s first find out what aliases existed in the KeyStore. To do this, we’re going to use a tool called keytool, which is distributed along with JDK or JRE.

$ keytool -keystore second-app-keystore.jks -list

Running that command, you will get output similar to the following.

Keystore type: JKS
Keystore provider: SUN...alias-name-1, Jan 1, 2000, PrivateKeyEntry...alias-name-2, Mar 1, 2000, PrivateKeyEntry...

To remove an alias, you can use the following.

$ keytool -keystore second-app-keystore.jks -delete -alias "alias-name-1"

Verify that the KeyStore only contains alias to second certificate by re-running the command to list the aliases provided above.

Modify passphrase

Now that you have a KeyStore that only contains the certificate you want to share, let’s wrap up everything by modifying the passphrase for the KeyStore.

$ keytool -keystore second-app-keystore.jks -storepass "$CURRENT_KEYSTORE_PASSPHRASE" -storepasswd -new "$NEW_KEYSTORE_PASSPHRASE"

By now, you should have a KeyStore, which passphrase has been modified, and only contains the certificate that’s needed by your second app buyer.

So, rephrasing the first question at the beginning of this post, what will your decision be when it comes to signing your apps prior to releasing them to Google Play?

Choose one that will render this post obsolete!

Android
Java
Keystore

--

--

Djonny Stevens Abenz
Karena Kita Vidio

Written by Djonny Stevens Abenz

16 Followers
Writer for

I build Typing Hero. https://www.typinghero.app

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams