applicationSignerCertificate

Defines the signer certificate(s) that App Shielding trusts when checking for repackaging. That is, App Shielding assumes the app has been repackaged if the certificate used to sign the app does not match any of the given certificates here. To configure App Shielding to trust multiple certificates, add a separate applicationSignerCertificate option for each certificate.

The value for this option can be the PEM or Base64-encoded DER version of the certificate (see below for examples), or one of the following special aliases:

• auto

  Default value. Resolves to the signing certificate configured for the Shielding Tool if the Shielding Tool will sign the target app. For more information, see Signing the application. If the Shielding Tool will not sign the app, then the original certificate is used. Otherwise, an error is thrown.

• original

  Inserts the original certificate, if the original application is already signed. If the application is not signed, or the Shielding Tool fails to extract the certificate, an error is thrown.

• Type: certificate

• Default Value: auto

• Multiple allowed: Yes

• Required: Yes

<applicationSignerCertificate>
  -----BEGIN CERTIFICATE-----
  MIIDYjCCAkqgAwIBAgIJAKZ8PFEEDQGrMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV
  BAYTAk5PMQ0wCwYDVQQIEwRPc2xvMQ0wCwYDVQQHEwRPc2xvMQ8wDQYDVQQKEwZQ
  cm9tb24xEDAOBgNVBAsTB1Vua25vd24xDzANBgNVBAMTBlByb21vbjAeFw0yMjA4
  MDUxNDI2MjNaFw0zMjA4MDIxNDI2MjNaMF8xCzAJBgNVBAYTAk5PMQ0wCwYDVQQI
  EwRPc2xvMQ0wCwYDVQQHEwRPc2xvMQ8wDQYDVQQKEwZQcm9tb24xEDAOBgNVBAsT
  B1Vua25vd24xDzANBgNVBAMTBlByb21vbjCCASIwDQYJKoZIhvcNAQEBBQADggEP
  ADCCAQoCggEBAL/+nPyARzpwG9zoY2B1hiW46rohJjBRpAWjS+h7wU3ESJtr7dTf
  QL7bAiB0bsyIUGOb6bFiWHQCZzaR8UFULItzrs7Aj3QCi1oeN3XhYdZqVvTeFzl+
  pg3FqVmRgFiooyEHkserlB20D9AITVGrQYjJB3nhWMegm6ir1zHhVfah0bv5UJ9f
  86y6nwO9dVn2C0YX/If4Kkp0IrbUBgMMZekmkFATzkJOUhdRBoo98Ui1w4NjtFfJ
  jYc6tcHeunXpR5VI7lqA7KJI5aouzQH6iSJ3y6r1JG71Q2tUagdEK6z+407rX2Sv
  8VmKMDv93faMZBzQvoftfYFPr+dhjoYiwsECAwEAAaMhMB8wHQYDVR0OBBYEFNER
  z4oo9DdUHsRHpg82Gab+s8AxMA0GCSqGSIb3DQEBCwUAA4IBAQBLpTJKtFaYUOdf
  /x+Ie5e55A0JHMrX7faY7aUbn0IfcciDdhuzlycYiU67jFxzqRKmvECBdLyWWt/l
  0+UBSaBIdHZswOQT71tP4Rx6lgaSLVExfXkzfNQ4z7w5ipqnA6HHadCXltmgpzlV
  HFlpBBYyuRr9k36ipxDPTPwgtSAejNNCqRTRxa5v+ZMaooPw+O7gwbhGjkBzpfar
  kHisiwTpZcukPk533H7JmwHGYLx4EheYUVWp2h7UGaDIo0XS1/dDhJsYqQKYMCVn
  JIwahuxHtYXB/zXepECu2oAOifjn2RbSTqsU6kLIuGvscx3zaUMKNu+ZsJ2l1gTh
  422Gi+Do
  -----END CERTIFICATE-----
</applicationSignerCertificate>

The format of this field can be PEM as shown above, or the Base64 encoded DER version of the certificate without any form of white space.

The certificate can be exported in the following manner depending on how your certificate is stored.

• Java keystore: If you have your certificate in a Java keystore, use the following command to export the certificate:

  keytool -keystore filename.jks -storepass password -alias name -exportcert -rfc

• Existing Apk file: In order to obtain this string from an existing signed .apk-file, extract the relevant certificate from the META-INF/ directory of the APK. The file name should have an .RSA or .DSA extension.

  Format the certificate using the following OpenSSL command:

  openssl pkcs7 -inform DER -text -print_certs -in file.RSA

• Google Play Signing: If you are using Google Play signing, download the App signing key certificate from Google Play Console, and format it using the following OpenSSL command:

  openssl x509 -inform DER -outform PEM -in deployment_cert.der