I have the following scenario:
We have a critical app that's distributed through apk download from our own servers (not Play store). The app updates itself, and another app, by downloading and installing the apk (with android intent). Both these apk's are signed by our company's code signing key.
The problem:
The signing key will expire in 5 days, and we couldn't renew it, as it's 2048 bit RSA. According to some CA/Browser forum document:
Baseline requirements for code signing
But if we change the private key to 3072bit RSA, android will reject to install (this I understand):
Package com.whatever.myapp signatures do not match previously installed version; ignoring!
Is there any way of making it less painful for the users than uninstalling and reinstalling the app? (It's distributed nationwide, to more than 1000 clients, who aren't able to do this).
Changing the package name would mean a clean db for the clients, so it's not a feasible solution. Is this true, that I cannot get a valid signature for the 2048bit RSA private key? Are there any solutions?
Thanks in advance!
Keys don't expire, but certificates do (or at least they have a NotValidAfter field). That being said, Android does not verify the validity of the certificate, it only enforces that the certificate remains the same byte-for-byte, so technically, having an "outdated" certificate will have no impact on your users.
If you still want to change the key, you'd have to use key rotation (https://source.android.com/security/apksigning/v3) which is a feature that was introduced in Android 9, so only users on Android 9+ would be able to verify the signature with the new key while users on older devices would keep verifying the signature from the old key.