The platform has an app signed with a cert. If you want to install an update to that app under a different cert, how could the platform trust that this is actually coming from the author who owns the original cert without the new app also being signed in some way with the original cert? Note that we don't use certificate authorities, so there is no root cert or such to go back to, to try to verify some relationship between two certs. Because we use self-signing, you are ultimately the CA, and have responsibility for the certs you generate.
I know this is an old thread, but this caught my attention. Would it not be possible to come up with a tool with which a developer could somehow use the old cert as the authority for the new one? After all, the developer is the only one with access to the private key, so a new cert could be "signed" by the old one just as an .apk file is signed.
-- --
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
---
You received this message because you are subscribed to the Google Groups "Android Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment