It also says "the key may be self signed", so after all it's not that bad if I use a company's CA to issue signing certs.
On Jan 17, 11:43 am, Jeff <[email protected]> wrote: > So...the certificate *kinda* needs to be self-signed, at least if > you're going to include your app in the Market. From the requirements > doc (http://developer.android.com/guide/publishing/app- > signing.html#releasemode), the signing certificate must... > > "Has a validity period that exceeds the expected lifespan of the > application or application suite. A validity period of more than 25 > years is recommended. If you plan to publish your application(s) on > Android Market, note that a validity period ending after 22 October > 2033 is a requirement. You can not upload an application if it is > signed with a key whose validity expires before that date." > > I do not know of any commercial CA that would issue you a certificate > with that long of a validity period, so you're kinda left with self- > signed at this point. > > On Jan 17, 1:08 pm, Oleg Gryb <[email protected]> wrote: > > > > > > > > > If a cert must be self-signed as Brian has mentioned, then I don't > > think that I can do much except storing all public keys for all > > trusted parties. If the same party uses more than one key then I would > > need to store all of them and this is what I was trying to avoid, > > apparently with no luck so far. > > > To your point about necessity of CA, please check my answer to Brian. > > While I do have a strong opinion about in Enterprise and traditional > > web app world (i.e. self-signed certs should not be used in prod), I > > don't have such a strong opinion in the mobile world yet, except that > > it does create inconvenience that I've described above (need to store > > all public keys for the same party). > > > On Jan 17, 3:36 am, Kevin Chadwick <[email protected]> wrote: > > > > On Mon, 16 Jan 2012 20:31:20 -0800 > > > > Brian Carlstrom wrote: > > > > On Sat, Jan 14, 2012 at 8:30 AM, Oleg Gryb <[email protected]> wrote: > > > > > > Is there any way to verify an Android's application signature's > > > > > signer? By this I mean that I need to check if an application was > > > > > signed by an organization that I trust to and that all public > > > > > certificates in the chain representing this organization are valid. > > > > > No, applications are signed by self signed certificates, not utilizing > > > > certificate chains with public CAs as roots. > > > > > -bri > > > > And if you think about it, checking the authors signature is more > > > secure because unless the third party verifies the code which is often > > > closed source then all you would be achieving is increasing the attack > > > surface by including the CA as well as the authors systems (source). No > > > matter what you do you *MUST* verify and trust the author. > > > > Apples method of preventing the obvious is questionable at best and may > > > lead to a false sense of security and likely has more to do with Apples > > > want for Control which is probably why they have less market share than > > > they should with a better OS than Windows as the hardware was > > > Controlled, like Sony Phones until recently. > > > > -- > > > Kc -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
