I’m signing APK with jarsigner, and there is a warning
jarsigner> No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate’s expiration date or after any future revocation date.
How to add timestamp?
In commandline there is an option -tsa http://timestamp.digicert.com for DigiCert code signing certificate. Can’t see the optin in Water and VS - can’t add URL for timestamp server.
→ Task CodeSign started for inprax.firma, Cooper-Android.
D: Ignoring outdated cached data for JavaSign (2018-10-23 >= 2018-10-17)
D: “C:\Program Files (x86)\Java\jdk1.8.0_161\bin\jarsigner.exe” -keystore C:\Projekty\Android\projekty\instalacje\inprax.instalacje\CertyfikatCS.jks -storepass ******** -keypass ****** “C:\Users\LHeczko\AppData\Local\RemObjects Software\EBuild\Obj\inprax.firma-27345FE9C3FA2DDC98492A9964018BB410932B5A\Debug\Cooper-Android\inprax.firma_step3.apk” te-fef8ef8e-4149-4f65-8499-316df75c64ab -digestalg SHA1 -sigalg SHA1withRSA
jarsigner> jar signed.
W: jarsigner:
jarsigner> No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate’s expiration date (2019-10-21) or after any future revocation date.
D: C:\AndroidSDK\build-tools\27.0.1\zipalign.exe -f -v 4 “C:\Users\LHeczko\AppData\Local\RemObjects Software\EBuild\Obj\inprax.firma-27345FE9C3FA2DDC98492A9964018BB410932B5A\Debug\Cooper-Android\inprax.firma_step3.apk” “C:\Users\LHeczko\AppData\Local\RemObjects Software\EBuild\Obj\inprax.firma-27345FE9C3FA2DDC98492A9964018BB410932B5A\Debug\Cooper-Android\inprax.firma.apk”
Yesterday I’ve been talking with DigiCert help, because our app with new certificate can’t install due to Google Play Protect, and there is what he had written
Android doesn’t require a CA signed cert for code signing to be valid. In order to get it to work, you need to have your private key set for ~25 years. It’s quite difficult to get that to work right. I would highly recommend using a self signed cert for Android APK signing.
Certificate from CA do not work, but self signed will work - it’s Android and Android’s safety… No comments for Google…