Android Application Signature

Android Application Signature

This article mainly introduces the theoretical knowledge of Android Application signatures and how to publish Android applications.

1. Concept of Signature

It is a well-known signature in daily life. It represents a special mark of a person and is used to uniquely identify a person. The signature of an Android application is essentially the same as that of a routine application. The signature of an application is also a special identifier that developers can mark in the application, when someone else sees this tag, they will know that this application is related to you or you have developed it, not others.

2. Do Android applications need signatures?

Yes, the Android system released by Google requires that each published application must be signed. The Android Application signature is used to establish the trust relationship between the developer and the package of the program. when updating the application, the Android system requires that the signatures of the New and Old applications be consistent.

Different from signatures on windows, Android signatures do not require authoritative Digital Certificate Authority authentication and are not used to determine which applications can be installed by end users, it is completed by the program author and a self-authentication mechanism for the Android system package.

3. Debug Signature

If you are a beginner developer, you will find that the application you developed has not passed your own signature and can also be installed on the Android system machine, this is because the ADT tool uses the debug digital certificate (which exists in debug. keystore) automatically adds a debug signature to each application in the development stage.

Debug. the keystore is also known as the debug keystore. It is a required file for app signature. When using ipvs, the ADT (Android Development Tools) Plug-in is installed, and the ADT comes with the debug keystore (also known as the witness library, because *. keystore is used to store digital certificates:

System Disk: \ Users \ zhangsan \. android \ debug. keystore. The locations of different system key libraries may be slightly different.

In general, in the development phase, the application does not need the author to create a keystore file (*. keystore), but if you want to release a developed application, you must use your own signature. The debug signature application cannot be published to the application store.

4. How to sign an application

The App signature can be completed in two ways, using the graphical interface provided by ADT, or using the command line (DOS) command to sign.

1) Graphical tool signature Step 1: Export

Select project-> right-click-> export Android Application (here I will use the Android App project ZHGL for demonstration)

Step 2: select the app project to export

Step 3: Create a keystore (*. keystore)

For the first time, select create new keystore, specify the location where the keystore (. keystore) is stored: C: \ Users \ chen. jian \ Desktop \ AndroidSignature, and set the keystore password.

PS: The key can be signed for multiple applications. We recommend that you have a keystore.

Step 4: create a signature certificate

The concept of signature certificate: In a real environment, the certificate carries the author/certificate content and other relevant information, and then the signature or seal of the issuing authority, which is essentially the same as the signature certificate here, the password you set is equivalent to a signature. The signature tool uses this password to encrypt the apk.

-- Alias: the Alias of the keystore (set by the author and case-insensitive. The keystore can store multiple signature certificates (Digital Certificates). We recommend that you create different signature certificates for different apps)

-- Password: Key Password

-- Validity: Validity Period of the signature certificate

Step 5: generate a signed apk File

Step 6: Use the created certificate to sign the apk.

2) doscommand for signature

In the DOS environment, three tools are required to sign the apk: keytool, jarsigner, and zipalign.

Keytool: Creates a key library and a digital certificate. In the bin installation directory of JDK (for example, C: \ Program Files \ Java \ jdk1.6.0 _ 10 \ bin), Jarsigner: sign the apk, and Zipalign under the JDK bin installation directory: optimize the signed apk file to improve the efficiency of the virtual machine execution, which is stored in the SDK tools directory (for example: d: \ android-sdk-windows \ tools \)

It can be seen that the signature to the apk is not a patent of Android, but already exists at the beginning of the Java era.

PS: to use these tools in the DOS environment, you need to add them to the environment variables of windows.

Step 1: Export unsigned apk files

Step 2: Use keytool to create a digital certificate

Keytool-genkey-v-keystore ChenJian. keystore-alias androidkeystore_v1-keyalg RSA-validity 20000

Note:

Keytool is the tool name.-genkey indicates that the digital certificate generation operation is performed.-v indicates that the detailed information of the generated certificate is printed and displayed in the dos window.-keystore ChenJian. keystore indicates that the generated digital certificate is named "ChenJian. keystore ";-alias androidkeystore_v1 indicates that the certificate alias is" androidkeystore_v1 ";-keyalg RSA indicates that the algorithm used to generate the key file is RSA; -validity 20000 indicates that the digital certificate is valid for 20000 days, meaning that the certificate will expire after 20000 days

When you execute the above command to generate a digital certificate file, you will be prompted to enter some information, including the certificate password.

The key library will be placed in the current directory C: \ Users \ chen. jian \ ChenJian. keystore. You can also specify the directory by yourself.

Step 3 Use jarsigner to sign the app:

Jarsigner-verbose-keystore ChenJian. keystore-signedjar Signed_ZHGL.apk Unsigned_ZHGL.apk androidkeystore_v1

Note:

Jarsigner is the tool name.-verbose indicates that the detailed information in the signature process is printed and displayed in the dos window;-keystore ChenJian. keystore indicates the location of the digital certificate used for the signature. There is no write path here, indicating that it is in the current directory;-signedjar Signed_ZHGL.apk plugin;

The last androidkeystore_v1 indicates the certificate alias, which corresponds to the name following the-alias parameter when the digital certificate is generated.

Step 4: optimize the app:

Zipalign-v 4 Signed_ZHGL.apk Signed_aligned_ZHGL.apk

Note:

Signed_aligned_ZHGL.apk example Description: If your previous program adopts the default signature method (that is, debug signature), once you change the new signature, the application cannot overwrite the installation, you must uninstall the original program to install it. Because the program overwrites the installation, it mainly checks whether the entry activities of the two programs are the same. If the package names of the two programs are different, even if all the other code is the same, they will not be regarded as different versions of the same program; the signatures used by the two programs are the same. If the two programs use different signatures, even if the package name is the same, it will not be regarded as different versions of the same program and cannot overwrite the installation. In addition, some may think that the debug signature application can also be installed and used, and there is no need to sign the application by yourself. Do not think like this. The debug Signature Application has two restrictions, or risks: the debug signature application cannot be sold on the Android Market, and it will force you to use your own signature;

Debug. keystore may generate different values on different machines, which means that if you change the machine to upgrade the apk version, the above program cannot overwrite the installation. Don't underestimate this issue. If the program you develop is only used by yourself, of course it doesn't matter. Uninstall and install it. But if your software has a lot of customers, this is a big problem, it is equivalent to the software does not have the upgrade function!

Download the appropriate modules. Data and code can be shared among multiple programs through permission. Android provides a digital certificate-based permission granting mechanism. Applications can share functions or data with other programs to those programs that have the same digital certificate as themselves. If the protectionLevel of a permission (permission) is signature, this permission can only be granted to programs with the same digital certificate as the package where the permission is located.

2) digital certificate validity period

The validity period of the digital certificate must include the expected life cycle of the program. Once the digital certificate becomes invalid, the program holding the certificate cannot be upgraded normally. If multiple programs use the same digital certificate, the validity period of the digital certificate must include the expected life cycle of all programs. Android Market requires that all application digital certificates be valid until January 1, October 22, 2033.

3) Key Points of digital certificates

The digital certificate used by the Android package can be self-Signed and does not need to be signed by an authoritative Digital Certificate Authority. If you want to officially release an Android, A digital certificate generated by an appropriate private key must be used to sign the program, rather than the debug certificate generated by the adt plug-in or ant tool. Digital Certificates are valid. Android only checks the validity period of the certificate when the application is installed. If the program has been installed in the system, the normal functions of the program will not be affected even if the certificate expires. Android uses the standard java tool Keytool and Jarsigner to generate a digital certificate and sign the application package.

6. Publish an application

The process of publishing applications on Google Play is provided on the Internet. Here I will only briefly introduce how the domestic App Store (360) releases applications.

Step 1: First, you must have an account of 360, and the account of 360 is universal (you can publish applications in security guard, mobile assistant, etc ···), unlike an ordinary account, if you want to release software in the 360 App Store, you must perform real-name authentication and hold photos of your ID card.

Step 2: log onto the http://dev.360.cn/select publish application-> go to the new page and select create software

Step 3: Follow the prompts to fill in the relevant information about the software. It is worth noting that 360 has special requirements on the size of the uploaded image. It is best to take screenshots and edit the image after reading it clearly, otherwise, it will waste a lot of time.

Step 4: Wait for approval

PS: After registering a developer account, you can choose to launch, cloud testing, software reinforcement, AD access, and other functions.