Clarification

[jesphinpt]

@kaikramer Could you please let me know how can I update the SHA1withRSA weak key to a stronger key.

If so how the algorithm get changed (i.e) does it use SHA2 or does it uses the same SHA1 key.

Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
Version: 3

Warning:
The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
The certificate uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.

[kaikramer]

You have to create a completely new key and certificate.

The key is only 1024 bit long and it should be at least 2048.

For the certificate use one of the SHA2 signature algorithms ("SHA-256 with RSA", "SHA-384 with RSA" or "SHA-512 with RSA"). "SHA-256 with RSA" is the default in KSE:

If your key has to be signed by a CA, then the CA will make sure to use a SHA2 algorithm.

Please note that this issue tracker is for KSE related topics, not for general PKI questions.

[jesphinpt]

@kaikramer Thanks for your clarification.

I need to know can I able to update the size of the key using any options?

Because, I need to use the existing keystore for my apps.

It would be helpful if you provide any input to update the key from 1024 to 2048 size.

[kaikramer]

Ok, so you are using the certificate to sign Android apps.

You can keep the existing keystore, but you have to create a new key. Different key size means different key, there is no way to upgrade a 1024 bit key to 2048 bit.

It is probably a good idea to keep the alias and distinguished name, but apart from that there is nothing special about a Android signing certificate. Android Studio creates only the Subject Key Identifier (SKI) extension.

Why do you want to update the signing key if it is so easy to create a new one?

[jpstotz]

@jesphinpt Upgrading the Android APK signing key is pretty complicated as an app can only be updated if it has the same key. Key migration/rotation is possible but only works for recent Android versions. Please read https://source.android.com/security/apksigning/v3

[kaikramer]

@jpstotz Thanks, now I understand the problem. 😄

I think the interesting question here is: Would it be useful for Android programmers if KSE could sign APKs with Signature Scheme v2 - v4 (including support for key rotation) or is that better handled by an IDE or apksigner?

So far this feature has not been requested, which led me to the assumption that there is no demand for it.

[jpstotz]

@kaikramer adding APK signing would be easy using the library Google apksigner bases on: com.android.tools.build:apksig

But in my opinion I would not include it. Signing APK files is a very special use case and outside of the Android eco system totally useless. Furthermore it is only relevant for old existing apps as Google forces you to store the signing private key in their cloud for new apps.

[kaikramer]

I think I can close this...

[jesphinpt]

I have used the signing as self signing. Are you mentiong shall I need to move to the google play signing for already available or existing apps?

[jpstotz]

@jesphinpt if you are an app developer your apk build chain should already include an option to sign the created apk. If you upload the signing key to Google or not is your decision.