Android Application signature steps and related knowledge

This article mainly describes the theoretical knowledge of Android Application signatures, including: What is a signature, why is it necessary to sign an application, how to sign an application, etc..

1. What is a signature?
If this is not a question in Android development, if it is in a common forum, I think everyone knows the meaning of the signature. However, people often get confused by putting some commonly used terms in their daily lives in the computer field. What computers do, or what programming languages do, is not exactly simulating the reality as much as possible? Therefore, the signatures in the computer are essentially the same as those in the life, and they play the same role!
Let's take a look at the signature in real life. For example, the image below:

This is the signature of actress Sun Li. Signature means to write your own name on paper or elsewhere, or put a mark somewhere as your own unique identifier. When someone else sees this signature, he will know that this is related to you, not others.

2. Why do I need to sign the Android app?
If you can only answer this question with a simple sentence, I will say, "this is what the Android system requires ".
The Android system requires that each Android application be installed in the system only by digital signature. That is to say, if an Android application is not digitally signed, it cannot be installed in the system! Android uses a digital signature to identify the author of an application and establish a trust relationship between the application. It is not used to determine which applications can be installed by the end user. This digital signature is completed by the author of the application and does not need to be authenticated by an authoritative Digital Certificate Signing organization. It is only used to authenticate the application package.

3. Why can I run Android apps on simulators and mobile phones without any signatures?
If you do not sign the Android Application, it does not mean that the Android application is not signed. To facilitate the development of debugging programs, ADT automatically uses the debug key to sign the application. Debug key? Where is it? The debug key is a file named debug. keystore. Its location is:
System drive letter:/Documents and Settings/liufeng/. android/debug. keystore
"Liufeng" corresponds to your windows operating system user name. How about it? Have you found it. This means that if we want to have our own signature, instead of letting ADT help us sign the signature, we also need a key file (*. keystore) of our own ).

4. Steps for signing Android applications
1) Preparations
The apk signature can be completed in two ways:
1) Complete the apk signature through the graphic interface provided by ADT;
2) Complete the apk signature using the DOS command.
I prefer 2nd), so the following describes how to use the command to complete the apk signature.
Three tools or three commands are used to sign the apk: keytool, jarsigner, and zipalign. The following is a brief introduction to these three tools:
1) keytool: generate a digital certificate, that is, the key, that is, the file with the extension. keystore mentioned above;
2) jarsigner: Use a digital certificate to sign the apk file;
3) zipalign: optimizes the signed apk to improve interaction efficiency with the Android system (Android SDK1.6 starts to include this tool)
The usage sequence of the three tools can also be seen from the functions of the three tools. Generally, all applications developed by ourselves use the same signature, that is, the same digital certificate. This means that if you sign the Android Application for the first time, all the above three tools will be used. However, if you already have a digital certificate, you only need to use jarsigner and zipalign to sign other apk files.
To facilitate the use of the preceding three commands, you must first add the paths of the preceding three tools to the environment variable path (I am talking about this for ease of use, not the need to do so ). How to configure environment variables is not explained here. Here we need to talk about the default path of the three tools:
1) keytool: the tool is located in the bin directory of the jdk installation path;
2) jarsigner: the tool is located in the bin directory of the jdk installation path;
3) zipalign: the tool is located in the android-sdk-windows/tools/directory.
I wonder if you have noticed that the keytool and jarsigner tools come with jdk, which means generating digital certificates and file signatures are not Android patents; in addition, it can be guessed from the literal understanding of jarsigner that this tool is mainly used to sign the jar file.
2) generate an unsigned apk File
Since we need to sign the apk ourselves, we no longer need to sign the apk by default.How can I get an unsigned apk file?Open Eclipse, right-click the Android project name, select "Android Tools"-"Export Unsigned Application Package...", and select a storage location to save it. In this way, an unsigned apk file is obtained.
3) Use keytool to generate a digital certificate
Keytool-genkey-v-keystore liufeng. Key store-alias liufeng. keystore-keyalg RSA-validity 20000
Note:
1) keytool is the tool name.-genkey indicates that the digital certificate generation operation is performed.-v indicates that the certificate generation details are printed and displayed in the dos window;
2)-keystore liufeng. keystore indicates that the name of the generated digital certificate is "liufeng. keystore ";
3)-alias liufeng. keystore indicates that the certificate alias is "liufeng. keystore". Of course, it can be different from the above file name;
4)-keyalg RSA indicates that the algorithm used to generate the key file is RSA;
5)-validity 20000 indicates that the digital certificate is valid for 20000 days, meaning that the certificate will expire after 20000 days
When you execute the above command to generate a digital certificate file, you will be prompted to enter some information, including the certificate password, for example:

4) use the jarsigner tool to sign Android applications
Jarsigner-verbose-keystore liufeng. keystore-signedjar notepad_signed.apk notepad.apk liufeng. keystore
Note:
1) jarsigner is the tool name.-verbose indicates that the detailed information in the signature process is printed and displayed in the dos window;
2)-keystore liufeng. keystore indicates the location of the digital certificate used for the signature. There is no write path here, indicating that it is in the current directory;
3)-signedjar notepad_signed.apk notepad.apk: Click it to sign the notepad.apk file. The file name behind the signature is notepad_signed.apk;
4) The last liufeng. keystore indicates the certificate alias, which corresponds to the name following the-alias parameter when a digital certificate is generated.
5) Use zipalign to optimize signed apk(Optional, but recommended)
Zipalign-v 4 notepad_signed.apk notepad_signed_aligned.apk
Note:
1) zipalign is the tool name.-v indicates that the detailed optimization information is printed in the DOS window;
2)notepad_signed.apk notepad_signed_aligned.apk optimize the signed file notepad_signed.apk. the file name is notepad_signed_aligned.apk.

Note:If your previous program adopts the default signature method (that is, the debug signature), once you change the new signature, the application cannot overwrite and install it. You must uninstall the original program, can be installed. Because the program overwrites the installation and mainly checks two points:
1) whether the portal Activity of the two programs is the same. If the package names of the two programs are different, even if all other codes are identical, they will not be considered as different versions of the same program;
2) whether the signatures used by the two programs are the same. If the two programs use different signatures, even if the package name is the same, it will not be regarded as different versions of the same program and cannot overwrite the installation.
In addition, some may think that the debug signature application can also be installed and used, and there is no need to sign the application by yourself. Never think like this. The debug Signature Application has two restrictions or risks:
1) the debug signature application cannot be sold on the Android Market. It forces you to use your own signature;
2) debug. keystore may generate different values on different machines, which means that if you change the machine to an apk version upgrade, the above program cannot overwrite the installation. Don't underestimate this issue. If the program you develop is only used by yourself, of course it doesn't matter. Uninstall and install it. But if your software has a lot of customers, this is a big problem, it is equivalent to the software does not have the upgrade function!