How do I ensure my keystore info doesn't change with my cordova app

Question

I've published a few apps but eventually will need to do updates, most of the time it's fine, but soon enough.. I get an error when updating my app saying the fingerprint certificate is wrong. Answers all point to the need to save and reuse the original keystore or you're SOL. Just a few things to explain:

• I have no clue what a keystore is.
• I have no clue how to save it when making an app.
• I have no clue how to restore it in future versions of my app that have used an alternate keystore for some reason or other.

What I'm trying to figure out is, what's the best practice to ensure that whenever I'm messing with my app to future develop it, how do I prevent changing this damn keystore? Is it whenever I update cordova? Update a platform? etc.. I feel like my apps have a ticking time-bomb that eventually stops it from being able to update on the Play Store. I'm using Cordova btw.

Been doing some research for about a day and a half before asking, so any help is appreciated.

Answer 1

Here's what I've gathered...

STEP ONE - CREATE A .KEYSTORE FILE:

Navigate to C:\\Program Files\\Java\\jre7\\bin (usually this), open command window and type:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

STEP TWO - CREATING AN UNSIGNED VERSION OF YOUR APP Build an unsigned version of the app in a command window that's opened in your project folder:

cordova build android --release

STEP THREE - SIGN THE RELEASE WITH YOUR SAVED KEYSTORE Running the first command below will show all entries in your keystore, look for Alias name' in the output, then use that value in the second command. In CMD:

keytool -list -v -keystore /path/to/your.keystore

jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore /path/to/your.keystore android-release-unsigned.apk alias_name

STEP FOUR - CHECKING YOUR WORK: Let's make sure everything was updated correctly before adding your app, otherwise you may run into this mess all over again.

First, unzip the APK and extract the file /META-INF/ALIAS_NA.RSA (this file may also be CERT.RSA or other, but there should only be one .RSA file).

Then issue this command:

keytool -printcert -file ALIAS_NA.RSA

You will get certificate fingerprints like this:

 MD5:  B3:4F:BE:07:AA:78:24:DC:CA:92:36:FF:AE:8C:17:DB
 SHA1: 16:59:E7:E3:0C:AA:7A:0D:F2:0D:05:20:12:A8:85:0B:32:C5:4F:68
 Signature algorithm name: SHA1withRSA

Then use the keytool again to print out all the aliases of your signing keystore:

keytool -list -keystore my-signing-key.keystore

You will get a list of aliases and their certificate fingerprint:

android_key, Jan 23, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5):     B3:4F:BE:07:AA:78:24:DC:CA:92:36:FF:AE:8C:17:DB

We can now determine the apk has been signed with this keystore, and with the alias 'android_key'.

Keytool is part of Java, so make sure your PATH has Java installation dir in it. Store this somewhere you'll remember and use information where you'll remember (or safely store this info somewhere, a tattoo comes to mind).

STEP FIVE - ZIPALIGN YOUR APP: Navigate to your Android SDK folder and search for zipalign, use the most recent one. Then:

zipalign -f -v 4 "path/to/unsigned-apk" "path/you/want/signed/apk"

A lot of this info was found from all over stackoverflow, then compiled here for myself and others to reference in the future.