I understand that the -keypass
option is for "the password for the key" and that the -storepass
option is for "a password for the keystore".
I don't understand, however, why two passwords are needed.
What scenarios are there for requiring 2 passwords: One for the store (file, in my case) and one for the key.
This is due to how Java handles keystores so it's not an Android specific issue. The reason though is because access to a store such as adding/viewing trust relationships is a separate task from creating and signing keys/certs.
In short, you may trust someone to view/update your keystore but not sign things with a key you store in the keystore. Plus, keys could be stored in multiple keystores and you want your keys locked down individually.