Working with Java KeyStore

Working with Java KeyStore

You have two apps on Google Play Store. Which one from the list below that you chose to sign your apps prior to releasing them to Google Play?

Let’s say you chose the second option.

And then, someone reach out to you, wanting to buy your second app. And instead of killing it, the plan is to develop it further.

That means, you would need to provide the certificate (let’s call it second certificate) to sign said app, so an updated version could be published to Google Play Store. What would you do?

You’re right, this post is about answering that What would you do? question with regards to the KeyStore.

What would you do?

But first, what could you do? What are the alternatives?

To me, it’s obvious the second option is the better one, as you only share what they need. So, how might we do that?

Copy the KeyStore

$ cp original-keystore.jks second-app-keystore.jks

Remove aliases

Certificate in KeyStore can be accessed through alias.

Unless you remember the aliases for all certificates in the KeyStore, let’s first find out what aliases existed in the KeyStore. To do this, we’re going to use a tool called keytool, which is distributed along with JDK or JRE.

$ keytool -keystore second-app-keystore.jks -list

Running that command, you will get output similar to the following.

Keystore type: JKS
Keystore provider: SUN

To remove an alias, you can use the following.

$ keytool -keystore second-app-keystore.jks -delete -alias "alias-name-1"

Verify that the KeyStore only contains alias to second certificate by re-running the command to list the aliases provided above.

Modify passphrase

Now that you have a KeyStore that only contains the certificate you want to share, let’s wrap up everything by modifying the passphrase for the KeyStore.

$ keytool -keystore second-app-keystore.jks -storepass "$CURRENT_KEYSTORE_PASSPHRASE" -storepasswd -new "$NEW_KEYSTORE_PASSPHRASE"

By now, you should have a KeyStore, which passphrase has been modified, and only contains the certificate that’s needed by your second app buyer.

So, rephrasing the first question at the beginning of this post, what will your decision be when it comes to signing your apps prior to releasing them to Google Play?

Choose one that will render this post obsolete!