Noah Paci
Jan 11, 2017
4:49 pm

Encountering Error adding public keys for Knox Enabled App: "Error binding KEA license key and package"

I'm trying to get a feel for the workflow of developing a Knox Enabled App. I've started this process by simply pulling the KEA Sample App ( - the VaultBank_0 app) into Android Studio, building it and pushing the apk onto a Samsung tablet. 

The first time I do this I get the "App not authorized" modal and am offered two buttons, "CANCEL" and "OPEN ANYWAY". I click "CANCEL". I then download the Public Key Extractor and generate the public hash key (as per steps 4, 5, etc of the 'Setup (source code)' section here: Everything I'm doing looks like this:

Now, I have a public hash key and package name in hand that I've emailed to myself, so I swivel over to here and, in the "Knox Enabled App keys" section, I expand the 'Development' type and choose to "Upload additional APK" (specifically the "Or manually upload your APK package name and public key hash." radio button) and paste my values in there.

Voila... All is well, now when I go back to the tablet and open the sample app. I no longer see the "App not authorized" modal and I see the sample app has been installed and has the KEA badge overlaying it's icon in the apps selector screen.

That was all context, and now I'll get to the problem.

I have a 2nd tablet that I want to install this same sample app on (imagining that the KEA I'm developing will need to be pushed out to multiple devices b/c there are multiple developers and testers and such). I go through this very same process on the 2nd tablet, and when I get the point where I paste in the "Package name" and "Public key hash" here for the 2nd device, I click 'Add' and I get an error message back that says "Error binding KEA license key and package."

So, where I'm at now is, it seems like I can't run the same KEA (ie, an app with the same package name) on multiple different devices, under the same credentials I log in with on the seap site. I've got to be doing something wrong, or just misunderstanding the domain. Seems like I should be able to do this, but I suspect I'm misunderstanding something.

Victor Okunev
Jan 12, 2017
10:04 pm

Greetings Noah,

Once you have generated a KEA license for your .apk file, you can deploy this .apk onto multiple devices (2nd tablet in your case) without repeating the license generation step for every device.

You see, the KEA license is not device-specific. The public key extractor app simply generates the hash of the public key found within the .apk file. It doesn't tie that hash to the device.

Hope that helps,



Noah Paci
Jan 12, 2017
10:09 pm

That's how I assumed it should work, but when I attempt to install the apk that worked on Device1 onto Device2, I see the modal that says "App not authorized" with buttons "CANCEL" and "OPEN ANYWAY" on Device2, and I don't get the KEA badge overlaid on the app icon on Device2.

Noah Paci
Jan 17, 2017
2:54 pm

> Is Device2 KEA compatible?

Yes, in fact it is the exact same model Samsung Tab A, running the same version of the operating system(6.0.1)

> Why the app doesn't work on the Device2 is a different question though.

What I am finding in further tests working with this is that the tooling to create the Public Keys generates a unique Public Key for each workstation that builds the apk file.  So if I switch to a different computer or in my case have another developer on their machine build an apk, the Public Key that they get for the same version of the source code and same Package is different than on my workstation.  (Making changes to the source code on a single workstation DOES NOT cause the Public Key to change for the same Package on the same workstation.)  When I go to the SEAP Portal in either the administrative account or one of the ancillary developer accounts assoicated with the same administrator account and attempt to associate a different Public Key for the same Package, i cannot.  I am greeted with an error message that states: "Error binding KEA license key and package" if the Package already exists(albeit with a different Public Key).

I tried to remove the originally associated value and I do not have the ability to remove a Package/Public Key pair from the portal.  FWIW, I can deactivate a package/Key pair, but that doesn't allow me to add a different Public Key in any of the accounts, it just goes to a "deactivated state" from which I can only reactivate it.

Again perhaps, I am not understanding the workflow precisely, but I am unsure how a development team would work with multiple developers on the same application OR if my laptop was replaced, how would I proceed given that the public keys for the apk for the same package would be different and I cannot seemingly have more than one Public Key associated to a a Package Name?  In my current situation I am trying to work with another developer building a KEA and have both of us able to build the same application and have it work on 4 unique tablets.  At the moment only the developer that first associated the Package Name with the Public Key can build the apk and it will work on multiple tablets. See below for an alternative way of describing the problem.

Caveat: All these problems and descriptions are in the context of working with Development Knox Enabled App Keys.

As an example follow we did some work using the VaultBank sample KEA application:

Public Key/Package Upload Problem

  1. Developer A builds VaultBank apk and generates Public Key for
  2. Developer A uploads Public Key(A)/Package pair to SEAP Portal
  3. Developer B builds VaultBank apk and generates Public Key for
  4. Developer B attempts to upload Public Key(B)/Package pair to SEAP Portal and is DENIED: “Error binding KEA license key and package”

At this point for each developer the condition is this:

  1. Developer A can build and deploy VaultBank apk to tablet and it is a KEA with a badge overlay.
  2. Developer B can deploy apk built by Developer A and it is a KEA with a badge overlay.
  3. Developer A and B CANNOT use an apk built by Developer B as it cannot have Public Key(B) uploaded to SEAP Portal. (Technically, it’s useable, it’s just not a KEA any more and does not have the badge overlay.)

Now imagine Developer A goes on vacation:

  1. Past VaultBank apk’s built by developer A all work
  2. Developer B cannot build a VaultBank apk that will be KEA.
  3. What is Developer B to do?
Victor Okunev
Jan 20, 2017
12:30 am

Hi Noah,

I can appreciate how your dev team can get confused with this workflow. I would suggest that instead of using the automatically generated debug certificate on each individual workstation, use a single designated workstation where each developer in your team can drop their unsigned apk to be automatically and consistently signed with the same key. It can be done outside of Android Studio with apksigner tool.

But currently you have a problem at hand and there are couple of ways of solving it:

1. We can manually remove the Package/Public Key pair from our licensing database for you. Please forward both to and we'll take care of it. Please also include the reference to this topic in your email.

2. Refactor your app to use a different app package name, and stick to the workflow I suggested. Not a clean solution, but it will work as well.



Victor Okunev
Mar 30, 2017
10:50 pm

Cool, at least we are clear about the proper KEA workflow. Why the app doesn't work on the Device2 is a different question though. Is Device2 KEA compatible? You can check it here: