How to sign Android apps

Previous topic - Next topic

MrTAToad

This is my batch file (it copies the apk from the passed program directory), and uses 7Zip to delete the CERT files :

Code (glbasic) Select
copy %1\glbasic-debug.apk glbasic-debug.zip
pause
"C:\Program Files (x86)\7-Zip\7z.exe" d glbasic-debug.zip META-INF\manifest.mf META-INF\CERT.SF META-INF\CERT.RSA
pause
copy glbasic-debug.zip glbasic-debug.apk
keytool -genkey -alias mykey.keystore -keyalg RSA -validity 20000 -keystore keys/mykey.keystore
jarsigner -verbose -keystore keys/mykey.keystore -signedjar glbasic-signed.apk glbasic-debug.apk mykey.keystore
zipalign -v 4 glbasic-signed.apk glbasic-release.apk
pause

Kitty Hello

make sure you use the release-output in the first place. I have no idea, but the debug build might have overhead.

MrTAToad

Ah yes - glbasic-unsigned...

BdR

I managed to sign my Android .APK file and it was accepted correctly and everything. However, I still don't understand how this actually works. So you generate a local .keystore file which is based on whatever password you think up. Then you sign your .APK package with that .keystore file and enter the password again, and then send the signed .APK to Google.

But then, how does Google know it is signed correctly if they don't have the keystore file? O_O

ampos

check my web and/or my blog :D
http://diniplay.blogspot.com (devblog)
http://www.ampostata.org
http://ampostata.blogspot.com
I own PC-Win, MacBook 13", iPhone 3G/3GS/4G and iPAC-WinCE

MrTAToad

I suspect it just checks to make sure it is present, not the demo key and is in the correct format...

MrTAToad

It appears that the Java 1.7 SDK key signing system isn't compatible with Android.  So giggles all round then...

Fortunately being able to get some information about the problem from the Stack Overflow website, I have changed my code signing batch file to :

Code (glbasic) Select
erase "%1.zip" /Q
erase "%1_signed.apk" /Q
erase "%1_unsigned.apk" /Q
erase "%1_release.apk" /Q
copy "%1.apk" "%1.zip"
"C:\Program Files (x86)\7-Zip\7z.exe" d "%1.zip" META-INF\manifest.mf META-INF\CERT.SF META-INF\CERT.RSA
copy "%1.zip" "%1_unsigned.apk"
keytool -genkey -alias keys/mykey.keystore -validity 20000 -sigalg MD5withRSA -keyalg RSA -keysize 1024 -keystore keys/mykey.keystore
jarsigner -verbose -keystore keys/mykey.keystore -sigalg MD5withRSA -digestalg SHA1 -signedjar "%1_signed.apk" "%1_unsigned.apk" keys/mykey.keystore
zipalign -v 4 "%1_signed.apk" "%1_release.apk"
move "%1_release.apk" "Release/%1_release.apk"
@echo "Finished"


Could someone try the included APK file (in the ZIP file) onto a real device.  It is properly signed, and whilst it works with the emulator, I need to make sure the new changes are correct.

Falstaff

I'm looking to use that convenient script from the post above me, but I'm new to the process, so just to clarify, would I want to use "keytool" to generate a new key every time I go to release an update for my app? Or would I just want to do this once, to generate the key the first time, and then use the same key to run the following commands (ie jarsigner) with on any new binaries being submitted as updates?

Just wondering.. thanks for the script though, I think I'm almost ready to release to android thanks to everyone's help :)

MrTAToad

Yes, every new compile would need a newly generated code from keytool which would then be used by jarsigner

spacefractal

property only when you update to the Google Play and various other stores. Here the APK need to been signed each time.
Genius.Greedy Mouse - Karma Miwa - Spot Race - CatchOut - PowerUp Elevation - The beagle Jam - Cave Heroes 2023 - https://spacefractal.itch.io/

MrTAToad

I've finally worked out how to silently get the APK signed :

Code (glbasic) Select
erase "%1.zip" /Q
erase "%1-signed.apk" /Q
erase "%1-unsigned.apk" /Q
erase "%1-release.apk" /Q
copy "%1.apk" "%1.zip"
7z.exe d "%1.zip" META-INF\manifest.mf META-INF\CERT.SF META-INF\CERT.RSA
copy "%1.zip" "%1-unsigned.apk"
keytool -genkey -alias keys/mykey.keystore -validity 20000 -sigalg MD5withRSA -keyalg RSA -keysize 1024 -keystore keys/mykey.keystore -storepass %2
jarsigner -verbose -keystore keys/mykey.keystore -sigalg MD5withRSA -digestalg SHA1 -signedjar "%1-signed.apk" "%1-unsigned.apk" keys/mykey.keystore -storepass %2
zipalign -v 4 "%1-signed.apk" "%1-release.apk"
move "%1-release.apk" "Release/%1-release.apk"
@echo "Finished"
pause


Just pass the batch file two parameters - the first is the APK filename and the second is the password.  Need to make sure that zipalign, jarsigner, 7zip are in %PATH% as usual.

You will be notified that there is no Time Stamp Authority certificate, but as they are expensive to buy ($218 for 1 year), I dont think it will be too much bother to ignore this - after all, you are informed that the certificate with expire in 2068...

The latest versions of Android will no longer accept APK's with the default certificate, so you will have to sign it everytime you want to test on an Android device or emulator.