Signing problems with keystore and Android

Question

So I have an Android application on the market, and now I need to update it. I've been trying to sign the new apk but having difficulties with that.

I have the keystore, and have verified it contains the correct certificate using keytool -list -v -keystore deployment.keystore. The keystore has no password, don't remember doing that but there you go. If I enter in anything, I get an error, if I don't then it accepts the command and lists the contained certificates.

Now the problem is that when trying to export the apk file in Eclipse, using the export wizard, I'm not allowed to have no password on the keystore, thus I can't get to the credentials that are inside. So I tried to run the following in an attempt to change the password on the keystore keytool -storepasswd -keystore deployment.keystore. I'm asked for a password, and neither the empty string password nor the new password I want to set is accepted. If its < 6 chars in length I get prompted again, and if its > 6 chars I get the following error: keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect.

Now I'm at a loss what to do, and seek the collective knowledge of SO to help me out.

UPDATE: I've now exported the certificate and then imported it again into a new keystore successfully. The problem now is that I'm getting a Unhandled event loop exception in Eclipse when I try to sign. Any ideas?

UPDATE 2: Trying to sign through terminal to avoid the exception that Eclipse is throwing has presented new problems. I'm trying the following: jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore new.keystore myApp.apk myAlias. I only have the certificate in my new keystore, but no private key so I've been trying to export them as p12 from the old keystore by running keytool -importkeystore -srckeystore deployment.keystore -destkeystore myKeystore.p12 -deststoretype PKCS12.

Now I'm getting the following warning:

******* WARNING WARNING WARNING *******

The integrity of the information stored in the srckeystore* * has NOT been verified! In order to verify its integrity, * * you must provide the srckeystore password.

******* WARNING WARNING WARNING *******

And this now prompts me for a password for the srckeystore which is the empty string. This is some loop hole I seem to have fallen into!

Update 3: I've now successfully changed the original keystore password by feeding with the command -storepass. Now however I'm prompted for the keypass of the actual private/public key pair in the keystore. I don't remember setting these, and even though I've read that they default to the keystore password if not set they are not accepting anything I enter. My search continues.

-MrDresden

Answer 1

After trying a few different things, we ended up republishing the app with a new key from a new keystore. Thankfully it had only been out for a couple of hours, and not been promoted at all so only about 10 users got affected. Which is still to many.

After all this, we have started to set up Maven and all publishing will only be done after the Maven server has compiled and signed the app. Everything is backed up, all passwords kept written down etc.