APK Rotate Signer
ENTERPRISE This is a SignServer Enterprise feature.
The signer has the fully qualified class name: org.signserver.module.apk.signer.ApkRotateSigner
Overview
The APK Rotate Signer supports Android Package Kit (APK) key rotation. Key rotation supports signing with a new key by rolling over to the new key using a lineage file. The APK Rotate Signer is used to create the lineage file that allows rolling over from an old signer to a new one. Both signers must be configured in SignServer and have access to their respective key/certificate.
The APK Rotate Signer requires the OTHER_SIGNERS property to be configured with the old and new signer to include in the lineage. Note that this signer is configured without a crypto token, as no crypto token is used.
For more information on Android signing and how to set it up in SignServer, see Setting up Android Signing .
Available Properties
Property |
Description |
Required |
OTHER_SIGNERS |
Signers to include in the lineage. Specify exactly two signers: the old and new signers to include in the lineage. |
|
OLD_SET_INSTALLED_DATA |
Specifies the installed data capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset. |
|
OLD_SET_SHARED_UID |
Specifies the shared UID capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset. |
|
OLD_SET_PERMISSION |
Specifies the permission capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset. |
|
OLD_SET_ROLLBACK |
Specifies the rollback capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset. |
|
OLD_SET_AUTH |
Specifies the auth capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset. |
|
NEW_SET_INSTALLED_DATA |
Specifies the installed data capability of the new signer in the updated lineage (true or false), if set. Default: unset. |
|
NEW_SET_SHARED_UID |
Specifies the shared UID capability of the new signer in the updated lineage (true or false), if set. Default: unset. |
|
NEW_SET_PERMISSION |
Specifies the permission capability of the new signer in the updated lineage (true or false), if set. Default: unset. |
|
NEW_SET_ROLLBACK |
Specifies the rollback capability of the new signer in the updated lineage (true or false), if set. Default: unset. |
|
NEW_SET_AUTH |
Specifies the auth capability of the new signer in the updated lineage (true or false), if set. Default: unset. |
|
MIN_SDK_VERSION |
Specifies the minimum SDK version, if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset. |
|
Worker Log Fields
Field |
Description |
REQUEST_DIGEST |
A message digest (hash) for the request document in HEX encoding. |
REQUEST_DIGEST_ALGORITHM |
The name of the message digest (hash) algorithm used for the request digest in the log. |
RESPONSE_DIGEST |
A message digest (hash) for the response document in hex encoding. |
RESPONSE_DIGEST_ALGORITHM |
The name of the message digest (hash) algorithm used for the response digest in the log. |