Android Application signature and android Signature
This article mainly introduces the theoretical knowledge of Android Application signatures and how to publish Android applications.
1. Concept of Signature
It is a well-known signature in daily life. It represents a special mark of a person and is used to uniquely identify a person. The signature of an Android application is essentially the same as that of a routine application. The signature of an application is also a special identifier that developers can mark in the application, when someone else sees this tag, they will know that this application is related to you or you have developed it, not others.
2. Do Android applications need signatures?
Yes, the Android system released by Google requires that each published application must be signed. The Android Application signature is used to establish the trust relationship between the developer and the package of the program. when updating the application, the Android system requires that the signatures of the New and Old applications be consistent.
Different from signatures on windows, Android signatures do not require authoritative Digital Certificate Authority authentication and are not used to determine which applications can be installed by end users, it is completed by the program author and a self-authentication mechanism for the Android system package.
3. Debug Signature
If you are a beginner developer, you will find that the application you developed has not passed your own signature and can also be installed on the Android system machine, this is because the ADT tool uses the debug digital certificate (which exists in debug. keystore) automatically adds a debug signature to each application in the development stage.
Debug. the keystore is also known as the debug keystore. It is a required file for app signature. When using ipvs, the ADT (Android Development Tools) Plug-in is installed, and the ADT comes with the debug keystore (also known as the witness library, because *. keystore is used to store digital certificates:
System Disk: \ Users \ zhangsan \. android \ debug. keystore. The locations of different system key libraries may be slightly different.
In general, in the development phase, the application does not need the author to create a keystore file (*. keystore), but if you want to release a developed application, you must use your own signature. The debug signature application cannot be published to the application store.
4. How to sign an application
The App signature can be completed in two ways, using the graphical interface provided by ADT, or using the command line (DOS) command to sign.
1) Graphical tool signature Step 1: Export
Select project-> right-click-> export Android Application (here I will use the Android App project ZHGL for demonstration)
Step 2: select the app project to export
Step 3: Create a keystore (*. keystore)
For the first time, select create new keystore, specify the location where the keystore (. keystore) is stored: C: \ Users \ chen. jian \ Desktop \ AndroidSignature, and set the keystore password.
PS: The key can be signed for multiple applications. We recommend that you have a keystore.
Step 4: create a signature certificate
The concept of signature certificate: In a real environment, the certificate carries the author/certificate content and other relevant information, and then the signature or seal of the issuing authority, which is essentially the same as the signature certificate here, the password you set is equivalent to a signature. The signature tool uses this password to encrypt the apk.
-- Alias: the Alias of the keystore (set by the author and case-insensitive. The keystore can store multiple signature certificates (Digital Certificates). We recommend that you create different signature certificates for different apps)
-- Password: Key Password
-- Validity: Validity Period of the signature certificate
Step 5: generate a signed apk File
Step 6: Use the created certificate to sign the apk.
2) doscommand for signature
In the DOS environment, three tools are required to sign the apk: keytool, jarsigner, and zipalign.
- Keytool: Create a key library and a digital certificate. In the bin installation directory of JDK (for example, C: \ Program Files \ Java \ jdk1.6.0 _ 10 \ bin)
- Jarsigner: sign the apk, which is also under the bin installation directory of JDK.
- Zipalign: optimizes the signed apk file to improve the execution efficiency of the virtual machine, which is stored in the SDK tools directory (for example, D: \ android-sdk-windows \ tools \)
It can be seen that the signature to the apk is not a patent of Android, but already exists at the beginning of the Java era.
PS: to use these tools in the DOS environment, you need to add them to the environment variables of windows.
Step 1: Export unsigned apk files
Step 2: Use keytool to create a digital certificate
Keytool-genkey-v-keystore ChenJian. keystore-alias androidkeystore_v1-keyalg RSA-validity 20000
Note:
- Keytool is the tool name.-genkey indicates that the digital certificate generation operation is performed.-v indicates that the detailed information of the generated certificate is printed and displayed in the dos window;
- -Keystore ChenJian. keystore indicates that the generated digital certificate is named "ChenJian. keystore ";
- -Alias androidkeystore_v1 indicates that the certificate alias is "androidkeystore_v1 ";
- -Keyalg RSA indicates that the algorithm used to generate the key file is RSA;
- -Validity 20000 indicates that the digital certificate is valid for 20000 days, meaning that the certificate will expire after 20000 days
When you execute the above command to generate a digital certificate file, you will be prompted to enter some information, including the certificate password.
The key library will be placed in the current directory C: \ Users \ chen. jian \ ChenJian. keystore. You can also specify the directory by yourself.
Step 3 Use jarsigner to sign the app:
Jarsigner-verbose-keystore ChenJian. keystore-signedjar Signed_ZHGL.apk Unsigned_ZHGL.apk androidkeystore_v1
Note:
- Jarsigner is the tool name.-verbose indicates that the detailed information in the signature process is printed and displayed in the dos window;
- -Keystore ChenJian. keystore indicates the location of the digital certificate used for the signature. There is no write path here, indicating that it is in the current directory;
- -Signedjar Signed_ZHGL.apk unsigned_zhgl.apk.pdf sign the unsigned_zhgl.apk file. The file name behind the signing is Signed_ZHGL.apk;
The last androidkeystore_v1 indicates the certificate alias, which corresponds to the name following the-alias parameter when the digital certificate is generated.
Step 4: optimize the app:
Zipalign-v 4 Signed_ZHGL.apk Signed_aligned_ZHGL.apk
Note:
- Zipalign is the tool name.-v indicates that the detailed optimization information is printed in the DOS window;
- Signed_ZHGL.apk Signed_aligned_ZHGL.apk optimized the signed_zhgl.apkfile and named Signed_aligned_ZHGL.apk.
- NOTE: If your previous program adopts the default signature method (that is, the debug signature), once a new signature application is changed, the installation cannot be overwritten and the original program must be uninstalled, can be installed. Because the program overwrites the installation and mainly checks two points:
- Whether the portal Activity of the two programs is the same. If the package names of the two programs are different, even if all other codes are identical, they will not be considered as different versions of the same program;
- Whether the signatures used by the two programs are the same. If the two programs use different signatures, even if the package name is the same, it will not be regarded as different versions of the same program and cannot overwrite the installation.
- In addition, some may think that the debug signature application can also be installed and used, and there is no need to sign the application by yourself. Never think like this. The debug Signature Application has two restrictions or risks:
- Applications With debug signatures cannot be commercially available in the Android Market. It forces you to use your own signatures;
Debug. keystore may generate different values on different machines, which means that if you change the machine to upgrade the apk version, the above program cannot overwrite the installation. Don't underestimate this issue. If the program you develop is only used by yourself, of course it doesn't matter. Uninstall and install it. But if your software has a lot of customers, this is a big problem, it is equivalent to the software does not have the upgrade function!
5. digital certificate usage 1) share the advantages of digital certificates
- It is conducive to program upgrade. When the new version of the program and the old version of the digital certificate are the same, the Android system will think that these two programs are different versions of the same program. If the digital certificates of the New and Old programs are different, the Android system considers them different programs and conflicts with each other, and requires the new program to change the package name.
- It facilitates modular design and development of programs. The Android system allows a program with the same digital signature to run in a process. The Android program regards them as the same program. Therefore, developers can develop their programs into modules, and users only need to download the appropriate modules as needed.
- Data and code can be shared among multiple programs through permission. Android provides a digital certificate-based permission granting mechanism. Applications can share functions or data with other programs to those programs that have the same digital certificate as themselves. If the protectionLevel of a permission (permission) is signature, this permission can only be granted to programs with the same digital certificate as the package where the permission is located.
2) digital certificate validity period
- The validity period of the digital certificate must include the expected life cycle of the program. Once the digital certificate becomes invalid, the program holding the certificate cannot be upgraded normally.
- If multiple programs use the same digital certificate, the validity period of the digital certificate must include the expected life cycle of all programs.
- Android Market requires that all application digital certificates be valid until January 1, October 22, 2033.
3) Key Points of digital certificates
- The digital certificate used by the Android package can be self-Signed and does not require signature authentication by an authoritative Digital Certificate Authority.
- To officially release an Android app, you must use a digital certificate generated by the appropriate private key to sign the app. Instead, you cannot use the debugging certificate generated by the adt plug-in or ant tool to publish the app.
- Digital Certificates are valid. Android only checks the validity period of the certificate when the application is installed. If the program has been installed in the system, the normal functions of the program will not be affected even if the certificate expires.
- Android uses the standard java tool Keytool and Jarsigner to generate a digital certificate and sign the application package.
6. Publish an application
The process of publishing applications on Google Play is provided on the Internet. Here I will only briefly introduce how the domestic App Store releases applications.
Step 1: First, you must have an account of , and the account of is universal (you can publish applications in security guard, mobile assistant, etc ···), unlike an ordinary account, if you want to release software in the App Store, you must perform real-name authentication and hold photos of your ID card.
Step 2: log onto the http://dev.360.cn/select publish application-> go to the new page and select create software
Step 3: Follow the prompts to fill in the relevant information about the software. It is worth noting that has special requirements on the size of the uploaded image. It is best to take screenshots and edit the image after reading it clearly, otherwise, it will waste a lot of time.
Step 4: Wait for approval
PS: After registering a developer account, you can choose to launch, cloud testing, software reinforcement, AD access, and other functions.
7. System Application Signature
In the AndroidManifest. xml file, the permission of the app is usually stated. Some permissions can only be used by system-level applications. In this case, the following applications must be properly run.
1) permission
Declare permission in AndroidMainifest. xml:
<Uses-permissionandroid: name = "android. permission. WRITE_SECURE_SETTINGS"/>
2) Share System Processes
Android: sharedUserId = "android. uid. system"
In the Android system, for security considerations, different apk runs in different processes by default, so they cannot access each other, however, Android also provides a mechanism to configure one or more apk files to run in the same process to meet mutual access requirements. Apart from using sharedUserId, the same signature must also be used.
3) system signature
To use system permissions, you must use the system's key to sign the apk.
4) Android. mk
Modify the Android. mk file and add the LOCAL_CERTIFICATE: = platform line. In command line mode, if you use mm to compile the file, the system key is used by default to sign the apk.
Of course, you can also find the key and manually sign the application. First, find the key file. The location in my Android source code directory is "build/target/product/security ", the following platform. pk8 and platform. x509.pem files. Then, use the Signapk tool provided by Android to sign it. The source code of signapk is under "build/tools/signapk" and signapk. jar can be found directly in the "android \ out \ host \ linux-x86 \ framework" or "android \ prebuilts \ sdk \ tools \ lib" directory, you can use the absolute path, you can also directly put it in the current directory (C: \ Users \ chen. jian) in the format
"Java-jarsignapk. jar platform. x509.pem platform. pk8 input.apk output.apk"
5) convert the system key to the keystore format
If you want to compile and debug system applications through S, it is necessary to convert the system key into a keystore. The following describes the conversion method.
Step 1: Build a Linux environment
Create the directory signature in Linux and copy platform. x509.pem platform. pk8 to this directory.
Step 2: Convert the private key in pkcs8 format to pkcs12 format
Openssl pkcs8-in platform. pk8-inform DER-outform PEM-out platform. priv. pem-nocrypt
Step 3: generate a key file in pkcs12 format
Openssl pkcs12-export-in platform. x509.pem-inkey platform. priv. pem-out platform. pk12-name androiddebugkey
(PS: in this process, enter the password android)
Step 4: generate a keystore File
Keytool-importkeystore-deststorepass android-destkeypass android-destkeystore debug. keystore-srckeystore platform. pk12-srcstoretype PKCS12-srcstorepass android-alias androiddebugkey
6) Eclips compile and generate the apk with the system signature
Method 1: Follow the description in this article to export the signed apk document using Eclips. After you enter the keystore and key entry password (both android), you can export the signed apk normally.
Method 2: In Eclipse Windows/Preferences/Android/Build, set "m debug keystore" to the generated keystore, as shown in.
How to sign Android applications
The Android system requires that all programs be installed with digital signatures. If no digital signature is available, the system will not install and run this program. Whether it's a simulator or a real mobile phone. Therefore, before running the debugging program on a device or simulator, you must set a digital signature for the application. · All programs must be signed. If no programs are signed, the system will not be able to install them. · You can use self-signed certificates to sign applications without authorization creden. · The system will only test the validity period of the signature certificate during installation. If the application signature expires only after installation, the application can still be enabled normally. · You can use the standard tool-Keytool and jarsigner-to generate a secret to sign the. APK file of the application. The Android SDK tool can sign the application during debugging. Both the ADT plug-in and the Ant compilation tool provide two signature modes: debug mode and release mode. In debug mode, the compilation tool uses the general program Keytool in JDK to create the secret lock and key through known methods and passwords. For each compilation, the tool uses the debugpassword to sign for the .apk file of the application. Because the password is known, the tool does not need to prompt you to enter the password and key at each compilation. · When the application is ready for release after debugging, You can compile it in release mode. In the releasemode, the editing tool does not sign the .apk file. Secret uses keytoolto generate a secret and a secret, and then uses jarsignertool in JDK to sign the .apk file. To set the basic signature settings, first set the JAVA_HOME environment variable to tell the SDK how to find the Keytool, or add the jdk path of Keytool to the path variable of the Windows environment variable. When releasing the release version, right-click your project from the Package version and choose Android Tools and Export Application Package from the shortcut menu. You can also click the "Exporting the unsigned. apk" connection on the overview page to export the unsigned apk file. After saving the .apk file, use Jarsigner and its own key to sign the apk file. If there is no key, you can use Keystore to create the key and password lock. If you already have a secret, such as a public secret, you can sign the .apk file. You can also write the complete step above as a bat file, so that you only need to run the bat file when signing the file. The following is a complete bat file example: @ Rem android signature program // annotation instruction @ Rem echo is the display Instruction format: echo [{on | off}] [message] @ echo *************************** * ***************************** @ Rem file whether the command format exists: if exist path + file name command @ if exist d: sign/MyFirstApp. keystore goto sign @ echo creates the signature file MyFirstApp. keystore @ Rem keytool Command Format:-genkey generates the signature-alias-keyalg encryption algorithm-validity valid days-keystore generates the signature file name keytool-genkey-alias MyFirstApp. key store-keyalg RSA-validity 40000-keystore MyFirstApp. keystore @ echo start Signature: @ Rem jarsigner Command Format:-verbose output details-keystore location-file to be generated by signedjar ...... remaining full text>
What is the signature mechanism of Android applications?
I don't know. I'm also learning. Sundy android advanced application course