Home » Android » certificate – How does Android devices get developers' public keys?

certificate – How does Android devices get developers' public keys?

Posted by: admin June 15, 2020 Leave a comment


The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application’s developer. How specifically does the public key be distributed to client Android devices? Is the public key contained in apk when developers release the app? If so, where is the key stored?

Or does Android market,e.g. Google play, hold a list of developer id coupled with corresponding public key and push the right key to client devices when an app is downloaded?

Is there any docs convey this information?

Thanks a lot for any inputs.

How to&Answers:

The public key is distributed within the apk file. If you unarchive an apk file you can find there a special folder called META-INF where all information about the signature is contained. Basically, you need to explore files with extensions *.RSA and *.DSA, which contain signature of the package along with public key.

You can read these two article (one, two) to understand the process



Some parts of the link will resolve your question
Embed your public key for licensing

For each application, the Google Play service automatically generates a 2048-bit RSA public/private key pair that is used for licensing and in-app billing. The key pair is uniquely associated with the application. Although associated with the application, the key pair is not the same as the key that you use to sign your applications (or derived from it).

The Google Play Developer Console exposes the public key for licensing to any developer signed in to the Developer Console, but it keeps the private key hidden from all users in a secure location. When an application requests a license check for an application published in your account, the licensing server signs the license response using the private key of your application’s key pair. When the LVL receives the response, it uses the public key provided by the application to verify the signature of the license response.

To add licensing to an application, you must obtain your application’s public key for licensing and copy it into your application. Here’s how to find your application’s public key for licensing:

Go to the Google Play Developer Console and sign in. Make sure that you sign in to the account from which the application you are licensing is published (or will be published).
In the application details page, locate the Services & APIs link and click it.
In the Services & APIs page, locate the Licensing & In-App Billing section. Your public key for licensing is given in the Your License Key For This Application field.
To add the public key to your application, simply copy/paste the key string from the field into your application as the value of the String variable BASE64_PUBLIC_KEY. When you are copying, make sure that you have selected the entire key string, without omitting any characters.

Here’s an example from the LVL sample application:

public class MainActivity extends Activity {
    private static final String BASE64_PUBLIC_KEY = "MIIBIjANBgkqhkiG ... "; //truncated for this example


Here is an example, follow steps 1 – 8 in “Getting a Certificate”.
This isn’t just a Google API tutorial, it covers the key signing that you need in that one section i mentioned.
There’s a link there also in regards to Debug and Release keys for Android development that provides more info on the Android development site.

LINK: Android Signing Keys and Google Map API Key


You gotta upload them on the play store before publishing.

It is then checked against the signature of your apk :

If you are talking about the key to verify apps on install : you can use any key to sign an app and install it via adb. But, you will have to use the same key to re-install an app. In that case, keys are not checked against a global repo like with Google Play, they are just checked locally.

For testing, things are a bit different, I believe it’s due to interaction of instrumentation runner and the code under test, they have to be run in the same process so, if you install an app’s test package with a debug certificate, then you can’t install the app using a release certificate, either you install the app with debug certificate as well, or you uninstall the tests.

Some details here : http://developer.android.com/tools/publishing/app-signing.html