Rockbox mail archiveSubject: RE: Providing Android builds
RE: Providing Android builds
From: Alexandros Schillings <aschillings.lists_at_gmail.com>
Date: Fri, 1 Jul 2011 15:05:27 +0100
There are a couple of issues here.
If you are planning to get users to update the application without
un-installing, you will need to keep using the same key for every release.
Otherwise users will receive signature errors and they will be forced to
uninstall/re-install and re-enter any settings.
Every debug key is unique (a new one is created per user per Android SDK
installation), so all developers in the project who can post final release
APKs will need to use the same one.
Key expiry on the other hand is not an issue as you can create your own
debug key and set the expiry date (disclaimer, its my blog):
If you are planning to release the application in the Market, you will need
a proper key.
Creating and signing an application with a proper key is quite easy (
http://developer.android.com/guide/publishing/app-signing.html). The program
to create the key comes with the JDK and signing an application for release
is essentially a right-click action in Eclipse.
Either way, the people who can do the final "release" compilation will have
to sign with a single key which is distributed to each one of them.
If the signing key (be it debug or release) is lost/compromised and a new
key has to be generated, Android (and the Market) will treat the newly
signed application as a completely different app forcing the user to
uninstall the previous version. In the market's case you will also need to
change the package name and probably unpublish the existing app.
Essentially, the differences between a debug and an actual key are
1. You need a proper key to publish in the market
2. A proper key will make users more confident that they are using a proper
The headaches of key management remain more-or-less the same either way.
The main question would be if you are planning to release the builds in the
> From: Jonas Häggqvist <rasher_at_rasher.dk<rasher_at_rasher.dk?Subject=Re:%20Providing%20Android%20builds>>
> Date: Thu, 30 Jun 2011 20:28:43 +0200
> For quite a while now, the Android builds have been perfectly usable, so
> what would it take to provide builds for people to download?
> The main issue with providing builds (aside from adapting the build
> system, which seems to be in place now), is the question of signing.
> Android lets you sign using a debug key, which provides no real security
> and will expire every 6 months, afaiu. Providing builds, signed with such
> a key, I think, would be fairly straight forward.
> On the other hand, doing signing with a real key would be more proper, but
> probably also more complicated for whoever has to implement it?
> So my question is, what do we want to do?
> Is there opposition to providing debug signed builds until properly signed
> builds can be available?
> Did I miss anything? Talk rubbish? Please correct me, I'm going by a vague
> understanding of the situation.
> Jonas Häggqvist
Received on 2011-07-01