Search code examples
androidandroid-app-signing

Is it possible to extend a certificate that was used in signing an Android APK?

For testing purposes, we created an APK for our product (that is not in the Google Play Store) that is signed with a self-signed certificate that is now expired. I have "renewed" the certificate by creating a new certificate using the same public/private key, but with an expiry date 10 years out.

We recreate the keystore using keytool each time using the PFX file containing the public and private key and then sign using apksigner.

Unfortunately, when installing the APK signed with the new PFX file containing the extended certificate over top of the APK signed with the old certificate, we get the following error (clean install is fine):

adb: failed to install MyTest.apk: Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE: Package com.example.MyTest signatures do not match previously installed version; ignoring!]

Main question:

  • Does the INSTALL_FAILED_UPDATE_INCOMPATIBLE error depend on the value of the public key (which is the same as before) or the signature of the public key certificate (which has presumably changed because the expiry date has changed)?

Ancillary questions:

  • Is the error message wrong? Wouldn't the package signature change every time that the package changes, even if we're using the identical key to sign? Do they mean public key certificate signature?

  • Oddly enough, the old APK signed by the expired key still clean installs on our tablets in contradiction to what I understood to be the case. Shouldn't installations of an APK signed using an expired certificate be failing?

Solution

  • Does the INSTALL_FAILED_UPDATE_INCOMPATIBLE error depend on the value of the > public key (which is the same as before) or the signature of the public key > certificate (which has presumably changed because the expiry date has changed)?

    Yes. This information is not displayed in your app, but is included in your certificate as part of the APK.

    Q2: Package is signed every time it changes with your key to identify that it is from correct source - the key is not changed - google play store and android OS will detect if the content is changed by using your key/certificate and running it on your data. if the package name is same but signatures don't match it would fail giving this error.

    Q3: Expiration date is for your certificate and not the app. Apps will install and work fine. You will not be able to sign new updates after expiration is reached with same certificate. They are by default available for 25 years unless changed manually.

    check more here: https://developer.android.com/studio/publish/app-signing