Keytool's -storepass vs. -keypass -- Why 2 passwords?

I understand that the -keypass option is for "the password for the key" and that the -storepass option is for "a password for the 开发者_JAVA技巧keystore".

I don't understand, however, why two passwords are needed.

What scenarios are there for requiring 2 passwords: One for the store (file, in my case) and one for the key.

This is due to how Java handles keystores so it's not an Android specific issue. The reason though is because access to a store such as adding/viewing trust relationships is a separate task from creating and signing keys/certs.

In short, you may trust someone to view/update your keystore but not sign things with a key you store in the keystore. Plus, keys could be stored in multiple keystores and you want your keys locked down individually.

Keytool uses storepass and keypass for different purposes.

storepass is used to access the key store

keypass is used to access the particular key pair's private key.

However, a password should not be specified on a command line or in a script unless it is for testing purposes, or you are on a secure system.