So...the certificate *kinda* needs to be self-signed, at least if you're going to include your app in the Market. From the requirements doc (http://developer.android.com/guide/publishing/app- signing.html#releasemode), the signing certificate must...
"Has a validity period that exceeds the expected lifespan of the application or application suite. A validity period of more than 25 years is recommended. If you plan to publish your application(s) on Android Market, note that a validity period ending after 22 October 2033 is a requirement. You can not upload an application if it is signed with a key whose validity expires before that date." I do not know of any commercial CA that would issue you a certificate with that long of a validity period, so you're kinda left with self- signed at this point. On Jan 17, 1:08 pm, Oleg Gryb <[email protected]> wrote: > If a cert must be self-signed as Brian has mentioned, then I don't > think that I can do much except storing all public keys for all > trusted parties. If the same party uses more than one key then I would > need to store all of them and this is what I was trying to avoid, > apparently with no luck so far. > > To your point about necessity of CA, please check my answer to Brian. > While I do have a strong opinion about in Enterprise and traditional > web app world (i.e. self-signed certs should not be used in prod), I > don't have such a strong opinion in the mobile world yet, except that > it does create inconvenience that I've described above (need to store > all public keys for the same party). > > On Jan 17, 3:36 am, Kevin Chadwick <[email protected]> wrote: > > > On Mon, 16 Jan 2012 20:31:20 -0800 > > > Brian Carlstrom wrote: > > > On Sat, Jan 14, 2012 at 8:30 AM, Oleg Gryb <[email protected]> wrote: > > > > > Is there any way to verify an Android's application signature's > > > > signer? By this I mean that I need to check if an application was > > > > signed by an organization that I trust to and that all public > > > > certificates in the chain representing this organization are valid. > > > > No, applications are signed by self signed certificates, not utilizing > > > certificate chains with public CAs as roots. > > > > -bri > > > And if you think about it, checking the authors signature is more > > secure because unless the third party verifies the code which is often > > closed source then all you would be achieving is increasing the attack > > surface by including the CA as well as the authors systems (source). No > > matter what you do you *MUST* verify and trust the author. > > > Apples method of preventing the obvious is questionable at best and may > > lead to a false sense of security and likely has more to do with Apples > > want for Control which is probably why they have less market share than > > they should with a better OS than Windows as the hardware was > > Controlled, like Sony Phones until recently. > > > -- > > Kc -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
