On Thursday, June 14, 2012 12:43:51 PM UTC-4, Dianne Hackborn wrote: > The platform has an app signed with a cert. If you want to install an > update to that app under a different cert, how could the platform trust > that this is actually coming from the author who owns the original cert > without the new app also being signed in some way with the original cert? > Note that we don't use certificate authorities, so there is no root cert > or such to go back to, to try to verify some relationship between two > certs. Because we use self-signing, you are ultimately the CA, and have > responsibility for the certs you generate. >
I know this is an old thread, but this caught my attention. Would it not be possible to come up with a tool with which a developer could somehow use the old cert as the authority for the new one? After all, the developer is the only one with access to the private key, so a new cert could be "signed" by the old one just as an .apk file is signed. -- -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en --- You received this message because you are subscribed to the Google Groups "Android Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
