I'm developing multiple Android applications for various clients. I manage the complete lifecycle of development for my clients which includes development and publishing to Google Play.
I'm concerned about how I should sign the applications I make for my clients. Right now, I have 1 keystore, and for each client, I create their own private key.
My concern is, if one day the clients want to take their Android app and manage it on their own without me, I'll need to give them their private key so that they can publish updates to the app.
My question is, is it possible to do this with only 1 keystore, and somehow export the private key which belongs a certain client from the keystore and give it to them, or should I be creating a keystore for each client? If the former is possible, then how is it technically done?
The scenario which would be ideal for me would be to be able to export a single private key from my keystore into another keystore, and be able to alter the password of this key without it affecting the validity of the key so that it can still be used to update the app it was made for in the future.
You can import or export your private keys into PKCS#12 (.p12) files using a program called keytool :
keytool -importkeystore -srckeystore existing-store.jks -destkeystore new-store.p12 -deststoretype PKCS12
This page lists many things that are possible with the keystore, ie. changing its format, and exporting out single keys :
http://www.startux.de/index.php/java/44-dealing-with-java-keystoresyvComment44
There is also an app called Keystore Explorer which does the same job but using a GUI :
http://keystore-explorer.sourceforge.net/
You can change the password, without affecting signing ability :
keytool -keypasswd -alias "key name" -keypass "old password" -new "new password" -keystore "keystore path"
This means, when your client wants their key from your keystore, just export it out.