Author Topic: How to sign Android apps  (Read 16217 times)

MrTAToad

  • Guest
Re: How to sign Android apps
« Reply #15 on: 2011-Nov-25 »
This is my batch file (it copies the apk from the passed program directory), and uses 7Zip to delete the CERT files :

Code: GLBasic [Select]
copy %1\glbasic-debug.apk glbasic-debug.zip
pause
"C:\Program Files (x86)\7-Zip\7z.exe" d glbasic-debug.zip META-INF\manifest.mf META-INF\CERT.SF META-INF\CERT.RSA
pause
copy glbasic-debug.zip glbasic-debug.apk
keytool -genkey -alias mykey.keystore -keyalg RSA -validity 20000 -keystore keys/mykey.keystore
jarsigner -verbose -keystore keys/mykey.keystore -signedjar glbasic-signed.apk glbasic-debug.apk mykey.keystore
zipalign -v 4 glbasic-signed.apk glbasic-release.apk
pause

Offline Kitty Hello

  • code monkey
  • Administrator
  • Prof. Inline
  • *******
  • Posts: 10651
  • here on my island the sea says 'hello'
    • View Profile
    • http://www.glbasic.com
Re: How to sign Android apps
« Reply #16 on: 2011-Nov-25 »
make sure you use the release-output in the first place. I have no idea, but the debug build might have overhead.

MrTAToad

  • Guest
Re: How to sign Android apps
« Reply #17 on: 2011-Nov-25 »
Ah yes - glbasic-unsigned...

Offline BdR

  • Dr. Type
  • ****
  • Posts: 303
    • View Profile
    • BdR Games
Re: How to sign Android apps
« Reply #18 on: 2012-Mar-26 »
I managed to sign my Android .APK file and it was accepted correctly and everything. However, I still don't understand how this actually works. So you generate a local .keystore file which is based on whatever password you think up. Then you sign your .APK package with that .keystore file and enter the password again, and then send the signed .APK to Google.

But then, how does Google know it is signed correctly if they don't have the keystore file? O_O

Offline ampos

  • Prof. Inline
  • *****
  • Posts: 1592
    • View Profile
    • AMpostata Website
Re: How to sign Android apps
« Reply #19 on: 2012-Mar-26 »
Vudu...

 =D
check my web and/or my blog :D
http://diniplay.blogspot.com (devblog)
http://www.ampostata.org
http://ampostata.blogspot.com
I own PC-Win, MacBook 13", iPhone 3G/3GS/4G and iPAC-WinCE

MrTAToad

  • Guest
Re: How to sign Android apps
« Reply #20 on: 2012-Mar-26 »
I suspect it just checks to make sure it is present, not the demo key and is in the correct format...

MrTAToad

  • Guest
Re: How to sign Android apps
« Reply #21 on: 2013-Jun-21 »
It appears that the Java 1.7 SDK key signing system isn't compatible with Android.  So giggles all round then...

Fortunately being able to get some information about the problem from the Stack Overflow website, I have changed my code signing batch file to :

Code: GLBasic [Select]
erase "%1.zip" /Q
erase "%1_signed.apk" /Q
erase "%1_unsigned.apk" /Q
erase "%1_release.apk" /Q
copy "%1.apk" "%1.zip"
"C:\Program Files (x86)\7-Zip\7z.exe" d "%1.zip" META-INF\manifest.mf META-INF\CERT.SF META-INF\CERT.RSA
copy "%1.zip" "%1_unsigned.apk"
keytool -genkey -alias keys/mykey.keystore -validity 20000 -sigalg MD5withRSA -keyalg RSA -keysize 1024 -keystore keys/mykey.keystore
jarsigner -verbose -keystore keys/mykey.keystore -sigalg MD5withRSA -digestalg SHA1 -signedjar "%1_signed.apk" "%1_unsigned.apk" keys/mykey.keystore
zipalign -v 4 "%1_signed.apk" "%1_release.apk"
move "%1_release.apk" "Release/%1_release.apk"
@echo "Finished"

Could someone try the included APK file (in the ZIP file) onto a real device.  It is properly signed, and whilst it works with the emulator, I need to make sure the new changes are correct.

Offline Falstaff

  • Mr. Polyvector
  • ***
  • Posts: 148
    • View Profile
Re: How to sign Android apps
« Reply #22 on: 2013-Sep-16 »
I'm looking to use that convenient script from the post above me, but I'm new to the process, so just to clarify, would I want to use "keytool" to generate a new key every time I go to release an update for my app? Or would I just want to do this once, to generate the key the first time, and then use the same key to run the following commands (ie jarsigner) with on any new binaries being submitted as updates?

Just wondering.. thanks for the script though, I think I'm almost ready to release to android thanks to everyone's help :)

MrTAToad

  • Guest
Re: How to sign Android apps
« Reply #23 on: 2013-Sep-16 »
Yes, every new compile would need a newly generated code from keytool which would then be used by jarsigner

Offline spacefractal

  • Community Developer
  • Prof. Inline
  • ******
  • Posts: 3326
    • View Profile
    • Space Fractal
Re: How to sign Android apps
« Reply #24 on: 2013-Sep-17 »
property only when you update to the Google Play and various other stores. Here the APK need to been signed each time.
Greedy Mouse - Karma Miwa - Spot Race - CatchOut - Android Extras - is on a vacation trip, home before end of few days in jan.

MrTAToad

  • Guest
Re: How to sign Android apps
« Reply #25 on: 2014-Sep-14 »
I've finally worked out how to silently get the APK signed :

Code: GLBasic [Select]
erase "%1.zip" /Q
erase "%1-signed.apk" /Q
erase "%1-unsigned.apk" /Q
erase "%1-release.apk" /Q
copy "%1.apk" "%1.zip"
7z.exe d "%1.zip" META-INF\manifest.mf META-INF\CERT.SF META-INF\CERT.RSA
copy "%1.zip" "%1-unsigned.apk"
keytool -genkey -alias keys/mykey.keystore -validity 20000 -sigalg MD5withRSA -keyalg RSA -keysize 1024 -keystore keys/mykey.keystore -storepass %2
jarsigner -verbose -keystore keys/mykey.keystore -sigalg MD5withRSA -digestalg SHA1 -signedjar "%1-signed.apk" "%1-unsigned.apk" keys/mykey.keystore -storepass %2
zipalign -v 4 "%1-signed.apk" "%1-release.apk"
move "%1-release.apk" "Release/%1-release.apk"
@echo "Finished"
pause

Just pass the batch file two parameters - the first is the APK filename and the second is the password.  Need to make sure that zipalign, jarsigner, 7zip are in %PATH% as usual.

You will be notified that there is no Time Stamp Authority certificate, but as they are expensive to buy ($218 for 1 year), I dont think it will be too much bother to ignore this - after all, you are informed that the certificate with expire in 2068...

The latest versions of Android will no longer accept APK's with the default certificate, so you will have to sign it everytime you want to test on an Android device or emulator.