How to sign Android apps

[MrTAToad]

This is my batch file (it copies the apk from the passed program directory), and uses 7Zip to delete the CERT files :

Code: (glbasic) [Select]

copy %1\glbasic-debug.apk glbasic-debug.zip
pause
"C:\Program Files (x86)\7-Zip\7z.exe" d glbasic-debug.zip META-INF\manifest.mf META-INF\CERT.SF META-INF\CERT.RSA
pause
copy glbasic-debug.zip glbasic-debug.apk
keytool -genkey -alias mykey.keystore -keyalg RSA -validity 20000 -keystore keys/mykey.keystore
jarsigner -verbose -keystore keys/mykey.keystore -signedjar glbasic-signed.apk glbasic-debug.apk mykey.keystore
zipalign -v 4 glbasic-signed.apk glbasic-release.apk
pause

[Kitty Hello]

make sure you use the release-output in the first place. I have no idea, but the debug build might have overhead.

[MrTAToad]

Ah yes - glbasic-unsigned...

[BdR]

I managed to sign my Android .APK file and it was accepted correctly and everything. However, I still don't understand how this actually works. So you generate a local .keystore file which is based on whatever password you think up. Then you sign your .APK package with that .keystore file and enter the password again, and then send the signed .APK to Google.

But then, how does Google know it is signed correctly if they don't have the keystore file?

[ampos]

Vudu...

 

[MrTAToad]

I suspect it just checks to make sure it is present, not the demo key and is in the correct format...

[MrTAToad]

It appears that the Java 1.7 SDK key signing system isn't compatible with Android.  So giggles all round then...

Fortunately being able to get some information about the problem from the Stack Overflow website, I have changed my code signing batch file to :

Code: (glbasic) [Select]

erase "%1.zip" /Q
erase "%1_signed.apk" /Q
erase "%1_unsigned.apk" /Q
erase "%1_release.apk" /Q
copy "%1.apk" "%1.zip"
"C:\Program Files (x86)\7-Zip\7z.exe" d "%1.zip" META-INF\manifest.mf META-INF\CERT.SF META-INF\CERT.RSA
copy "%1.zip" "%1_unsigned.apk"
keytool -genkey -alias keys/mykey.keystore -validity 20000 -sigalg MD5withRSA -keyalg RSA -keysize 1024 -keystore keys/mykey.keystore
jarsigner -verbose -keystore keys/mykey.keystore -sigalg MD5withRSA -digestalg SHA1 -signedjar "%1_signed.apk" "%1_unsigned.apk" keys/mykey.keystore
zipalign -v 4 "%1_signed.apk" "%1_release.apk"
move "%1_release.apk" "Release/%1_release.apk"
@echo "Finished"
Could someone try the included APK file (in the ZIP file) onto a real device.  It is properly signed, and whilst it works with the emulator, I need to make sure the new changes are correct.

[Falstaff]

I'm looking to use that convenient script from the post above me, but I'm new to the process, so just to clarify, would I want to use "keytool" to generate a new key every time I go to release an update for my app? Or would I just want to do this once, to generate the key the first time, and then use the same key to run the following commands (ie jarsigner) with on any new binaries being submitted as updates?

Just wondering.. thanks for the script though, I think I'm almost ready to release to android thanks to everyone's help

[MrTAToad]

Yes, every new compile would need a newly generated code from keytool which would then be used by jarsigner

[spacefractal]

property only when you update to the Google Play and various other stores. Here the APK need to been signed each time.

[MrTAToad]

I've finally worked out how to silently get the APK signed :

Code: (glbasic) [Select]

erase "%1.zip" /Q
erase "%1-signed.apk" /Q
erase "%1-unsigned.apk" /Q
erase "%1-release.apk" /Q
copy "%1.apk" "%1.zip"
7z.exe d "%1.zip" META-INF\manifest.mf META-INF\CERT.SF META-INF\CERT.RSA
copy "%1.zip" "%1-unsigned.apk"
keytool -genkey -alias keys/mykey.keystore -validity 20000 -sigalg MD5withRSA -keyalg RSA -keysize 1024 -keystore keys/mykey.keystore -storepass %2
jarsigner -verbose -keystore keys/mykey.keystore -sigalg MD5withRSA -digestalg SHA1 -signedjar "%1-signed.apk" "%1-unsigned.apk" keys/mykey.keystore -storepass %2
zipalign -v 4 "%1-signed.apk" "%1-release.apk"
move "%1-release.apk" "Release/%1-release.apk"
@echo "Finished"
pause
Just pass the batch file two parameters - the first is the APK filename and the second is the password.  Need to make sure that zipalign, jarsigner, 7zip are in %PATH% as usual.

You will be notified that there is no Time Stamp Authority certificate, but as they are expensive to buy ($218 for 1 year), I dont think it will be too much bother to ignore this - after all, you are informed that the certificate with expire in 2068...

The latest versions of Android will no longer accept APK's with the default certificate, so you will have to sign it everytime you want to test on an Android device or emulator.