Hi, The value is that self signing is free, trusted CA is not.
This was one of the major impediments of developing for j2me, Android removed this barrier. Regards On Apr 12, 1:44 am, Bob Kerns <[email protected]> wrote: > If you protect your signing key, then it *does* prove that it was signed by > you, and not modified by someone else. > > The difference between a cert signed by a trusted CA and one signed by you > is simply this: With a trusted CA, they can ask the trusted CA whether > that's you or not. With a self-signed cert, they would have to find you and > ask you. > > They can ask you, by encrypting a message with your public key, and asking > you to decrypt it. Decrypting it would prove that you are indeed in > possession of the private key. > > So long as you protect your private key: > > - If you upload a new version of your .apk, the market can verify that it > is from you, and not modified by anyone else. > - If you publish two apps that want to access each other's storage, or > run in the same process (not recommended), that is also allowed, so long as > you sign them with the same private key. > > When a trusted CA signs a cert, they have done some leg work to verify that > you are indeed who you say you are. Other than that, they're not adding > value -- though I'd argue that's an important defense against malicious > apps! > > I don't know that there's any reason the cert you use has to be self-signed. > If you have a code signing cert from one of the trusted CAs, it *should* work > just fine. I've been curious about that.... > > But I don't know exactly how the Android team use the certs -- or perhaps > they ignore them altogether and simply use the public key itself. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
