How is one supposed to answer Java keystore questions that keytool asks?

Asked 8/10, 2015 at 22:16 Answered 1/4, 2022 at 14:54

Solved java google-play registration keytool android-keystore

When creating a keystore file using Java's keytool program, it asks a series of questions about the identity to be associated with the keystore. These include some that I wonder if they are required, what they are used for (if anything, ever), how anyone will ever see/use them, and what context are they supposed to be answered from. For example:

"What is your first and last name?" So I wonder things like, Who do they mean? If our team has an IT tech run this program for us, should he put his name? Should it be the manager of our dev team or department? If we work at a company and the person who put their name left the company, what are we supposed to do?

"What is the name of your organizational unit?" What if there is none?

"What is the name of your organization?" What if I'm just a person making a program?

"What is the two-letter country code for this unit?" What unit? What effect does this have? Can I leave it blank?

Also, what agreements, rights and responsibilities are associated with providing this information, upon the person assigned? Or are these just trying to be helpful in case we want this info associated, and we can choose to leave any of them blank if they don't seem relevant or desired?

Is the answer different if it's a mobile app for the Android Play Store?

Isthmus answered 8/10, 2015 at 22:16 Comment(0)

The purpose of those questions are to provide information about you / your organization to the person using that keystore file; for example the Android Play Store registration person.

How is one supposed to answer Java keystore questions that keytool asks?

In general, you should answer truthfully, providing the information that is necessary for the purpose.

In the your case, I think you are signing your application. (Correct me if I'm wrong ...) In that case, the purpose of the certificate is (according to this):

Android uses this certificate to identify the author of an app ...

so your answers should be sufficient to allow the Android Play Store administrators, and Android end-users to identify the app's author with sufficient specificity to make a decision as to whether to trust the app.

Obviously, under different circumstances the author might be identified as a person, a organizational unit or an organization. It would be up to you (i.e the people publishing the software) to make that call. If there is some guidance in Android documentation, I couldn't find it. (Please add comments below if you can find anything "official" from Android / Google on this.)

Also, what agreements, rights and responsibilities are associated with providing this information, upon the person assigned?

AFAIK, none. However, uploading your app certainly places certain obligations on you.

Or are these just trying to be helpful in case we want this info associated, and we can choose to leave any of them blank if they don't seem relevant or desired?

It is not clear. However, leaving out information may cause people to decide that your certificate is untrustworthy. Similarly, a self-signed certificate is liable to be viewed with suspicion¹.

^{1 - For example, nothing stops you from writing an Android app for accessing the user's bank account. And you can sign the app saying that it was published by the bank. But if the certificate doesn't have a trust chain going back to a trusted root CA, then the user should treat your app with suspicion.}

Collimore answered 8/10, 2015 at 22:51 Comment(5)

Thank you! Yes, I too found no real guidance on these fields in the Android docs. I'm confused what you mean by suspicion when self-signing one's own application - I thought that was the supposed point? Yes the context I have is signing an application I made for the Android App Store. – Isthmus 9/10, 2015 at 20:55

what if i am living in india and i want to publish application for us country , what should i type in keytool question country and state field. India or US – Tl 3/9, 2016 at 6:50

The publisher information is about >>you<< so obviously, you enter information about where >>you<< reside. Putting bogus information into your certificate is liable to get you into trouble, one way or another. – Collimore 3/9, 2016 at 7:27

It doesn't seem to me to be at all obvious what they mean. "What is the two-letter country code for this unit?" What's the "unit"? What two-letter country code? – Isthmus 8/5, 2021 at 21:21

Country codes: en.wikipedia.org/wiki/ISO_3166-1. The unit refers to the organizational unit you entered in the previous step. But seriously, if you can't figure out what kind of information you need to put in the cert ... for your own edge case ... ask Android Playstore Support. – Collimore 9/5, 2021 at 0:37

I just leave most fields blank if I can. You can do this by using the dname argument to keytool. For example:

keytool -genkeypair -alias foo -keyalg RSA -keystore mystore.p12 -dname CN=JoeBloggs

This will set the CN ("first and last name") to JoeBloggs, but leave all the other fields blank. You can see the result using a command such as: keytool -list -keystore mystore.p12 -v

Lombardo answered 1/4, 2022 at 14:54 Comment(0)

See: http://developer.android.com/tools/publishing/app-signing.html and https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html#CHDHBFGJ and (if you really want to get into the details of the "subject") http://www.ietf.org/rfc/rfc5280.txt

Those options allow you to sign something (like your Android apk) and verify your updates are the real deal to avoid fraud.

Just put in some appropriate values and no matter what happens (people leave, org name changes, whatever) you must use the same key store.

Homespun answered 8/10, 2015 at 23:2 Comment(0)

Recommended topics

Hot tags