Android APK signature (why verification)

Android apk signature (why verification)

This article is based on your own questions and then combined with multiple articles.

Reference:

Http://liangxh2008.blog.163.com/blog/static/112411679201041321646855/

Http://www.pgcw.com.cn/Newsdetail.asp? Id = 257565010

Http://www.eoeandroid.com/thread-23010-1-1.html

Http://pepa.iteye.com/blog/250991

Http://dev.10086.cn/cmdn/bbs/viewthread.php? Tid = 36678

Http://blog.csdn.net/wenhaiyan/archive/2010/04/23/5520964.aspx

Http://jojol-zhou.iteye.com/blog/719428

I. Why signature:

1. Sender authentication. Because developers may use the same Package Name to confuse and replace installed programs, different packages with different signatures will not be replaced.
2. ensure the integrity of information transmission. The signature processes each file in the package, so as to ensure that the content in the package is not replaced, to prevent the occurrence of credit in transactions.

Ii. Signature Description:
1. All applications must have digital certificates. Android does not install an application without digital certificates.
2. The digital certificate used by the Android package can be self-Signed and does not require signature authentication by an authoritative Digital Certificate Authority.
3. To officially release an Android Application, you must use a digital certificate generated by the appropriate private key to sign the program. Instead, you cannot use the debugging certificate generated by the ADT plug-in or ant tool to publish the application.
4. The digital certificate is valid. Android only checks the validity period of the certificate when the application is installed. If the program has been installed in the system, the normal functions of the program will not be affected even if the certificate expires.
5. Use zipalign after signing
6. Android uses a digital certificate to identify the author of an application and establish a trust relationship between the application, rather than deciding which applications the end user can install.
Iii. signature method:

1. Use Eclipse plug-in for signature

2. debug the signature

By default, the Eclipse plug-in grants the program a debug permission signature. The signature program cannot be published to the market. The signature is valid for one year. If it expires, you cannot generate an APK file, now you only need to delete the debug keystore, and the system will generate a new signature valid for one year for you.
B) The developer generates the key and signs the key.
Right-click the project name, select Android tools from the menu, and then select export signed applicationpackage ..., You can use eclipse to customize the certificate and sign it.
C) The developer exports the unsigned package
Right-click the project name, select Android tools from the menu, and then select export signed applicationpackage ..., You can export unsigned packages and then sign them using the command line method.

3. Use command line Signature
Use standard Java tools keytool and jarsigner to generate certificates and sign programs
A) Generate a signature
$ Keytool-genkey-keystorekeyfile-keyalg RSA-validity 10000-aliasyan
Note: validity is the number of days, Keyfile is the file where the generated key is stored, Yan is the private key, and RSA is the specified encryption algorithm (RSA or DSA can be used)
B) sign the apk File
$ Jarsigner-verbose-keystorekeyfile-signedjar signed.apk base.apk Yan
Note: For keyfiles' generated keys' files, signed.apkis the appkey behind the signature, base.apk is the unsigned apk, and yan is the private key.
C) Check whether an apk has been signed
$ Jarsigner-verify my_application.apk

Example: jarsigner-verify-verbose-certs abc.apk

The following information is displayed for each signed apk:

Sm 152412 Wed Oct 14 14:16:52 CEST 2009 classes. dex

X.509, CN = Meebo, OU = Meebo, O = Meebo, L = Mountain View, ST = California, C = US

[Certificate is valid from 28/10/08 to 13/08/82]

Otherwise, there is no signature.
D) optimization (Alignment Optimization is required after the signature)
Zipalign-v 4 your_project_name-unaligned.apk your_project_name.apk 

4. Signature compiled in source code
A) use the default signature in the source code.
The default signature is generally used for compiling in the source code, and is run in a source code directory.
$ MmshowcommandsThe signature command is displayed.
Android provides the signature program signapk. jar, which is used as follows:
$ Signapk publickey. X509 [. pem] privatekey. pk8 input. Jar output. Jar
*. X509.pem is the public key in x509 format, and pk8 is the private key.
There are four default signatures in the build/target/product/security directory: testkey, platform, shared, media(see readme.txt for details), Android in the application. mk has a LOCAL_CERTIFICATE field, which specifies the key used for signature. If it is not specified, testkey is used by default.
B) self-signed in source code
Android provides a script mkkey. sh (build/target/product/security/mkkey. sh. the LOCAL_CERTIFICATE field in mk indicates the signature used.
C) introduction to mkkey. sh
I. Generate a Public Key
OpenSSL genrsa-3-outtestkey. pem 2048
Among them,-3 is the algorithm parameter, 2048 is the key length, and testkey. pem is the output file.
Ii. Convert to x509 format (including the author's validity period)
OpenSSL req-New-X509-keytestkey. PEM-out testkey. x509.pem-days 10000-subj '/C = US/ST = California/L = mountain [email = view/o = Android/ou = Android/CN = Android/emailaddress = android@android.com] view/o = Android/ou = Android/CN = Android/emailaddress = android@android.com [/Email]'
Iii. Generate a private key
OpenSSL pkcs8-In testkey. pem-topk8-outform der-out testkey. pk8-nocrypt
Convert the format to PKCS #8.-nocryp is specified here, which indicates that it is not encrypted. Therefore, you do not need to enter a password for signing.

Iv. Signed files
1) The file related to the signature in the apk package is in the META_INF directory.
CERT. SF: Generate Keys relative to each file
MANIFEST. MF: digital signature information
Xxx. SF: This is the signature file of the JAR file. The placeholder xxx identifies the signer.
Xxx. DSA: Signature and public key of the output file
2) source code

V. Signature Problems
An error is prompted during installation: INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES
1) two applications with the same name and different signatures
2) The signature of the previous version is added during the upgrade, but not the signature of the later version.
3) When upgrading, the previous version uses the DEBUG signature and the latter uses the custom signature.
4) During the upgrade, the previous version is the signature in the Android source code, and the latter is the DEBUG signature or custom signature.
5) install unsigned programs
6) install programs that have expired the upgrade
6. Related tools
1) view the validity date of an x509 Certificate

Signature steps:

The Apk signature must first contain a keystore signature file.
The keystore is generated by the built-in jdk tool keytool. For details, refer:
Start-> Run-> cmd-> cd to the jdk directory you installed. Here I am C: \ Program Files \ Java \ jdk1.6.0 _ 10 \ bin
Enter: keytool-genkey-alias asaiAndroid. keystore-keyalg RSA-validity 20000-keystore asaiAndroid. keystore
-Alias is followed by an alias. Here is asaiAndroid. keystore.
-Keyalg is the encryption method. Here it is RSA.
-Validity is valid. The value is 20000.
-Keystore is the name of the keystore to be generated. Here is asaiAndroid. keystore.
Press ENTER
Press enter and you will be prompted to enter the password: remember what to use for signature.
Then confirm your password.
You will be asked to enter the name, organization unit, organization name, city area, Province name, country code, and so on.
Refer:

After running, you can find the generated keyStore file in C: \ Program Files \ Java \ jdk1.6.0 _ 10 \ bin.

Now, I have signed the Apk:
Jarsigner.exe also provides a tool in C: \ Program Files \ Java \ jdk1.6.0 _ 10 \ bin.
Now, run the following command to sign the APK:
Jarsigner-verbose-keystore asaiAndroid. keystore-signedjar LotteryOnline_signed.apk LotteryOnline.apk asaiAndroid. keystore
-Keystore: the name of the keystore.
LotteryOnline_signed.apk is the named APK.
LotteryOnline.apk is the apk before the signature.
Press enter to enter the password you just set. Press enter to start signing.
Refer:

After running successfully, a signed apk file will be added to the C: \ Program Files \ Java \ jdk1.6.0 _ 10 \ bin directory,
Refer:

 

If this method does not work, you can try the built-in eclipse method, which also references "Stealing" others' articles ^-^

1. In the Eclipse project, right-click the project and choose android> Generate a signature application package from the shortcut menu:

2. Select the android project to be packaged:

3. If the private key file already exists, select the private key file and enter the password. If there is no private key file, see steps 6th and 7 to create the private key file:

4. Enter the private key alias and password:

5. Select the location of the APK storage and complete the settings to start generating:

6. If the private key file does not exist, create the private key file:

7. Enter the information required for the private key file and create it:

Supplement:

To finally release your android program, you must sign the apk file. Here, the apk and jar signatures are the same. They are completed using the jarsigner tool of sun jdk. However, when executed, a prompt is displayed: jarsigner: unable to sign the jar: java.util.zip. zipException: invalid entry compressed size (expected xxx but got xxx bytes) Prompt,

These problems are mainly caused by resource files. for android development, check the files in the res folder one by one. This problem can be solved by upgrading the JDK and JRE versions of the system.