Android APK Certificates - what fields are required and what if that info changes?

MartyMacGyver picture MartyMacGyver · Oct 7, 2011 · Viewed 25.7k times · Source

This seems pretty basic but I can't find the info I'm looking for anywhere, particularly with regard to Android apps.

I am creating my release key (self-signed) and I am asked for lots of info:

  • First and Last Name: (OK; not likely to change)
  • Organizational Unit: (Is this one's "business name"?)
  • Organization: (How's this different from the "Unit" above?)
  • City or Locality: (This may change...)
  • State or Province: (Also may change...)
  • Country Code (XX): (OK; not likely to change)

With that in mind, I've got two basic questions about self-signed certificates used to distribute Android apps:

  1. On creation, can I leave any of these fields EMPTY, particularly the ones that are likely to change? Or is that forbidden? (The big question.)
  2. What if I want to change a given field later? Does that mean creating a new key and having everyone reinstall the app to ever upgrade again, even if I have the original key? (Seems to be the case, judging by what little I have found.)

Thanks in advance!


Edit: More info on #1 above: if this is anything like SSL certs, then the Name, Organization and Country should be sufficient. But IS that the case? Pros and cons of leaving any/all the other fields blank? I can't be the only one who's wondered about this in terms of apps... and the Android docs I've read so far aren't helping clarify this.

For #2, it appears that changing the certificate means regenerating it, and signing with that new cert doesn't avoid the Market problem (it's like a whole new app, even if you sign with both the new AND old certs). So it's all the more important to get it right (yet sufficiently generic in case you move) the first time you sign the app.

Answer

Michael Pardo picture Michael Pardo · Oct 7, 2011

The content of these fields are actually pretty irrelevant and are not generally seen by anyone other than you. You can leave empty fields wherever keytool will allow without consequence later.

Once you sign an apk with a keystore and upload it to the Android Market, you cannot sign that same package with another keystore. This is obviously done to prevent someone else from replacing your app with another.

For my keystore I put my personal information in it, set the expiration date for 999 years in the future and keep it safe and backed up.