Is the keystore the actual certificate, or is the alias the certificate?
If I use a different alias to sign my app, will it mess up updates on the market? Or would I need to sign my app with a different keystore to mess things up? And where is the info under alias viewable from?
Best Answer
The keystore file generated by Keytool stores pairs of private and public keys. Each pair or entry stored in the keystore is refered by a unique alias. In brief:
The keystore protects each private key with its individual password, and also protects the integrity of the entire keystore with a (possibly different) password.
For instance, when you sign an Android application using the Export Signed Application Package option of the Eclipse Android tool, you are asked to select a keystore first, and then asked to select a single alias/entry/pair from that keystore. After providing the passwords for both the keystore and the chosen alias, the app is signed and the public key (the certificate) for that alias is embedded into the APK.
Now to answer your question, you can only release an update to an application that was signed with the alias 'foo' by signing the update again with the same alias. Losing the keystore where your alias is stored would prevent you from releasing an updated version of your app.
There is however a way to sign an app with a new alias, but it involves cloning an existing alias in the keystore using keytool -keyclone:
More information:
http://download.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html
http://developer.android.com/guide/publishing/app-signing.html