Can someone from Android comment on my following questions: Android Market space provides basic documentation for app signing (http://developer.android.com/guide/publishing/app-signing.html#cert):
- One thing I cannot fail to notice is that the certificate can be self-issued (i.e. not from a trusted CA). I can use any CN and issuer in the certificate I create that can also infringe copyrights of other companies. How does Google control that? From a user perspective, what's the real 'company X' certificate vs. somone posing to be from 'company X'? - The certificate validity is requested to be at least "after 22 October 2033" so seamless application update can be performed, further "A validity period of more than 25 years is recommended." - with any PKI best practices in mind who'd create a signing certificate with valid for 25 years? For application updates it seems that the key is being validated during the upload and if matched application update is allowed - can someone comment more what's invloved here please? Is there any certificate validation for expiry date happening on OS level? What actually drives the requirement for 25 years validity? Thanks! -- To unsubscribe, reply using "remove me" as the subject.
