ENTERPRISE  This is a SignServer Enterprise feature.

The signer has the fully qualified class name: org.signserver.module.apk.signer.ApkRotateSigner

Overview

The APK Rotate Signer supports Android Package Kit (APK) key rotation. Key rotation supports signing with a new key by rolling over to the new key using a lineage file. The APK Rotate Signer is used to create the lineage file that allows rolling over from an old signer to a new one. Both signers must be configured in SignServer and have access to their respective key/certificate. 

The APK Rotate Signer requires the OTHER_SIGNERS property to be configured with the old and new signer to include in the lineage. Note that this signer is configured without a crypto token, as no crypto token is used.

For more information on Android signing and how to set it up in SignServer, see Setting up Android Signing.

Available Properties

PropertyDescriptionRequired

OTHER_SIGNERS

Signers to include in the lineage. Specify exactly two signers: the old and new signers to include in the lineage. (tick)
OLD_SET_INSTALLED_DATASpecifies the installed data capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset.
OLD_SET_SHARED_UIDSpecifies the shared UID capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset.
OLD_SET_PERMISSIONSpecifies the permission capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset.
OLD_SET_ROLLBACKSpecifies the rollback capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset.
OLD_SET_AUTHSpecifies the auth capability of the old signer in the updated lineage (true or false), if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset.
NEW_SET_INSTALLED_DATASpecifies the installed data capability of the new signer in the updated lineage (true or false), if set. Default: unset.
NEW_SET_SHARED_UIDSpecifies the shared UID capability of the new signer in the updated lineage (true or false), if set. Default: unset.
NEW_SET_PERMISSIONSpecifies the permission capability of the new signer in the updated lineage (true or false), if set. Default: unset.
NEW_SET_ROLLBACKSpecifies the rollback capability of the new signer in the updated lineage (true or false), if set. Default: unset.
NEW_SET_AUTHSpecifies the auth capability of the new signer in the updated lineage (true or false), if set. Default: unset.
MIN_SDK_VERSIONSpecifies the minimum SDK version, if set. This is only used when creating a new lineage file, not when updating an existing one. Default: unset.

Worker Log Fields

FieldDescription
REQUEST_DIGEST A message digest (hash) for the request document in HEX encoding.
REQUEST_DIGEST_ALGORITHM The name of the message digest (hash) algorithm used for the request digest in the log.
RESPONSE_DIGEST A message digest (hash) for the response document in hex encoding.
RESPONSE_DIGEST_ALGORITHM The name of the message digest (hash) algorithm used for the response digest in the log.