android applies signature detail steps

  • 2020-05-26 10:05:00
  • OfStack

1. Preparation
apk's signature can be done in two ways:

1) complete apk signature through the graphical interface provided by ADT;
Right click project -- "Android Tools --" Export Signed Application Package... -- > open the graphical interface
2) complete the apk signature entirely through the shell/dos command

I prefer option 2), so I'll show you how to complete the apk signature by command.

Signing apk 1 requires three tools, or three commands: keytool, jarsigner, zipalign. The following is a brief introduction of these three tools:

1) keytool: generates a digital certificate, that is, a key, which is the file with the extension.keystore mentioned above;

2) jarsigner: sign apk files with a digital certificate;

3) zipalign: optimize the apk after signature to improve the efficiency of interaction with the Android system (Android SDK1.6 version has included this tool)

From the role of these three tools can also be seen, the use of the order of the three tools. Generally, all the applications we develop by ourselves use the same signature, that is, the same digital certificate, which means: if you are the first time to do Android application signature, the above three tools will be used; But if you already have a digital certificate, you can sign other apk later using only jarsigner and zipalign.
To make it easier to use the three commands above, you first need to add the path of the three tools above to the environment variable path (I'm talking about convenience, not necessity). See my previous blog (Windows or Ubuntu) for how to configure environment variables. Here's what you need to say about the default path of the three tools:

1) keytool: the tool is located in the bin directory of the jdk installation path;
2) jarsigner: the tool is located in the bin directory of the jdk installation path;
3) zipalign: this tool is located in the Android-sdk-windows /tools/ directory

I don't know if you noticed that keytool and jarsigner come with jdk, which means that generating digital certificates and signing documents is not the patent of Android. You can also guess from the literal interpretation of jarsigner that the tool is mainly used to sign jar files.

2. Generate an unsigned apk file
Since we are signing apk ourselves, we no longer need ADT to sign for us by default. How do I get an unsigned apk file? Open Eclipse, right-click on the name of Android project, and select "Android Tools" - "Export Unsigned Application Package..." , and then select a storage location to save. This gives you an unsigned apk file.

3. Use the keytool tool to generate digital certificates


keytool -genkey -v -keystore it-homer.keystore -alias it-homer.keystore -keyalg RSA -validity 20000

Description:
1) keytool is the name of the tool, -genkey means to perform the operation of generating a digital certificate, and -v means to print out the detailed information of the generated certificate and display it in the dos window;
2) -keystore it-es1064en. keystore means that the file of the generated digital certificate is named "it-homer. keystore";
3) -alias it-homer. keystore means that the alias of the certificate is "it-homer. keystore".
4) -keyalg RSA means the algorithm used to generate the key file is RSA;
5) -validity 20000 means that the digital certificate is valid for 20,000 days, which means that the certificate will expire after 20,000 days
When executing the above command to generate the digital certificate file, you will be prompted to enter some information, including the password of the certificate, as shown below:

4. Sign the Android application using the jarsigner tool


jarsigner -verbose -keystore  it-homer.keystore -signedjar notepad_signed.apk notepad.apk  it-homer.keystore

Description:
1) jarsigner is the name of the tool, -verbose means to print out the detailed information in the signature process and display it in the dos window;
2) -keystore it-homer. keystore refers to the location of the digital certificate used for signature.
3) -signedjar notepad_signed.apk notepad.apk means to sign notepad.apk, and the signed file name is notepad_signed.apk;
4) the last it-homer.keystore represents the alias of the certificate, corresponding to the name after the -alias parameter when the digital certificate is generated

5. Optimize the signed apk using the zipalign tool (not required but recommended)


zipalign -v 4 notepad_signed.apk notepad_signed_aligned.apk

Description:
1) zipalign is the name of the tool, -v means to print out the detailed optimization information in the DOS window;
2) notepad_signed.apk signed_aligned.apk means to optimize the signed file notepad_signed.apk, and the optimized file is notepad_signed_aligned.apk
Note: if your previous application USES the default signature (debug signature), the new application will not be able to override the installation. The original application must be uninstalled before it can be installed. Because the program overrides the installation there are two main checks:
1) whether the entry Activity of the two programs is the same. If two programs have different package names, even if all the other code is identical, they will not be considered different versions of the same program.
2) whether the signatures adopted by the two programs are the same. If two programs have different signatures, even if the package name is the same, it will not be considered a different version of the same program and cannot override the installation.

In addition, some people might think that an debug signed application can be installed and used anyway, so there is no need to sign your own application. Don't ever think of an debug signed application as having two limitations, or risks:

1) the debug signature app is not available on the Android Market shelf. It forces you to use your own signature.
2) debug.keystore may not be the same on different machines, which means that if you change machines to upgrade the apk version, you will have the problem that the program above will not be able to cover the installation. Don't underestimate the problem. If you're developing a program that only you can use, it doesn't matter. Just uninstall and install. But if your software has a lot of users, this is a big problem, the software does not have the upgrade function!


Related articles: