I am publishing an app via the Amazon app store as well as via Google's app store.

Amazon dicks with the APK and then signs it with their own cert, but also offers you the opportunity to sign the modified APK with your cert.

If an APK is signed with two certs and an upgrade becomes available with just one cert (i.e. an upgrade becomes available from Google Play for an installation that was originally from Amazon's store) what happens? Does the Package manager require signatures from both certs before upgrading? Or any single cert? Or does one of the certs take priority?

I did some research.

https://groups.google.com/forum/#!topic/android-security-discuss/npRHQzzgErM

Redux: As of four years ago, Google does not know.

http://www.escapades-in-security.com/blog/2012/12/android-apk-supersignature.html

Redux: Suggests a pattern of requiring that the set of signatures match to perform an operation, so presumably upgrades would need to be double signed.

Nothing definitive yet, and I am starting to to think that Amazon doesn't add a second signature, not sure where I got that idea from. (Maybe I got it from here: digitial signature amazon app store )

I emailed Amazon Appstore dev support a while ago and here is their answer:

In that case we would review your submission and decide if it requires your signature. If we deem it does, we would enable the signature feature and send you instructions, but if we deem it does not we would override your signature with our own.

So they do indeed remove your original signature. Ever since the email I now just submit the signed APK that I uploaded to Google Play and let Amazon strip the certificate and apply their own. This saves me the time of compiling an unsigned APK just for Amazon.

On a side note: I thought it wasn't possible to have an app/package installed on the same device with two different certificates. Therefore you shouldn't be able to have an app from both Google Play and Amazon Appstore installed at the same time. I might be wrong though.