Rockbox.org home
release
dev builds
extras
themes manual
wiki
device status forums
mailing lists
IRC bugs
patches
dev guide



Rockbox mail archive

Subject: RE: Providing Android builds

RE: Providing Android builds

From: Alexandros Schillings <aschillings.lists_at_gmail.com>
Date: Fri, 1 Jul 2011 15:05:27 +0100

There are a couple of issues here.

1.
If you are planning to get users to update the application without
un-installing, you will need to keep using the same key for every release.
Otherwise users will receive signature errors and they will be forced to
uninstall/re-install and re-enter any settings.

Every debug key is unique (a new one is created per user per Android SDK
installation), so all developers in the project who can post final release
APKs will need to use the same one.
Key expiry on the other hand is not an issue as you can create your own
debug key and set the expiry date (disclaimer, its my blog):
http://alt236.blogspot.com/2011/06/fixing-error-getting-final-archive.html

2.
If you are planning to release the application in the Market, you will need
a proper key.

Creating and signing an application with a proper key is quite easy (
http://developer.android.com/guide/publishing/app-signing.html). The program
to create the key comes with the JDK and signing an application for release
is essentially a right-click action in Eclipse.

Either way, the people who can do the final "release" compilation will have
to sign with a single key which is distributed to each one of them.

If the signing key (be it debug or release) is lost/compromised and a new
key has to be generated, Android (and the Market) will treat the newly
signed application as a completely different app forcing the user to
uninstall the previous version. In the market's case you will also need to
change the package name and probably unpublish the existing app.

Essentially, the differences between a debug and an actual key are
1. You need a proper key to publish in the market
2. A proper key will make users more confident that they are using a proper
rockbox release.

The headaches of key management remain more-or-less the same either way.

Alex

The main question would be if you are planning to release the builds in the
market.

> From: Jonas Häggqvist <rasher_at_rasher.dk<rasher_at_rasher.dk?Subject=Re:%20Providing%20Android%20builds>>
>
> Date: Thu, 30 Jun 2011 20:28:43 +0200
>
> For quite a while now, the Android builds have been perfectly usable, so
> what would it take to provide builds for people to download?
>
> The main issue with providing builds (aside from adapting the build
> system, which seems to be in place now), is the question of signing.
>
> Android lets you sign using a debug key, which provides no real security
> and will expire every 6 months, afaiu. Providing builds, signed with such
> a key, I think, would be fairly straight forward.
>
> On the other hand, doing signing with a real key would be more proper, but
> probably also more complicated for whoever has to implement it?
>
> So my question is, what do we want to do?
>
> Is there opposition to providing debug signed builds until properly signed
> builds can be available?
>
> Did I miss anything? Talk rubbish? Please correct me, I'm going by a vague
> understanding of the situation.
>
> --
> Jonas Häggqvist
> rasher(at)rasher(dot)dk
>
>
Received on 2011-07-01


Page was last modified "Jan 10 2012" The Rockbox Crew
aaa