APK Rotate Signer
ENTERPRISE This is a SignServer Enterprise feature.
The signer has the fully qualified class name: org.signserver.module.apk.signer.ApkRotateSigner
Overview
The APK Rotate Signer supports Android Package Kit (APK) key rotation. Key rotation supports signing with a new key by rolling over to the new key using a lineage file. The APK Rotate Signer is used to create the lineage file that allows rolling over from an old signer to a new one. Both signers must be configured in SignServer and have access to their respective key/certificate.
The APK Rotate Signer requires the OTHER_SIGNERS property to be configured with the old and new signer to include in the lineage. Note that this signer is configured without a crypto token, as no crypto token is used.
For more information on Android signing and how to set it up in SignServer, see Setting up Android Signing.
Available Properties
| Property | Description | Required |
|---|---|---|
OTHER_SIGNERS | Signers to include in the lineage. Specify exactly two signers: the old and new signers to include in the lineage. |  |
| OLD_SET_INSTALLED_DATA | Specifies the installed data capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset. | |
| OLD_SET_SHARED_UID | Specifies the shared UID capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset. | |
| OLD_SET_PERMISSION | Specifies the permission capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset. | |
| OLD_SET_ROLLBACK | Specifies the rollback capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset. | |
| OLD_SET_AUTH | Specifies the auth capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset. | |
| NEW_SET_INSTALLED_DATA | Specifies the installed data capability of the new signer in the updated lineage (true or false), if set. Default: unset. | |
| NEW_SET_SHARED_UID | Specifies the shared UID capability of the new signer in the updated lineage (true or false), if set. Default: unset. | |
| NEW_SET_PERMISSION | Specifies the permission capability of the new signer in the updated lineage (true or false), if set. Default: unset. | |
| NEW_SET_ROLLBACK | Specifies the rollback capability of the new signer in the updated lineage (true or false), if set. Default: unset. | |
| NEW_SET_AUTH | Specifies the auth capability of the new signer in the updated lineage (true or false), if set. Default: unset. | |
| MIN_SDK_VERSION | Specifies the minimum SDK version, if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset. |
Worker Log Fields
| Field | Description |
|---|---|
| REQUEST_DIGEST | A message digest (hash) for the request document in HEX encoding. |
| REQUEST_DIGEST_ALGORITHM | The name of the message digest (hash) algorithm used for the request digest in the log. |
| RESPONSE_DIGEST | A message digest (hash) for the response document in hex encoding. |
| RESPONSE_DIGEST_ALGORITHM | The name of the message digest (hash) algorithm used for the response digest in the log. |