[Android automated packaging] 03. Digital Signature of APK

1. What is a digital signature?
A digital signature is used to mark your program as your own identity. When someone else sees the signature, they will know that it is related to you.
2. Why do I need a digital signature?
The simplest and most direct answer: what is required by the system.
The Android system requires that each android application be installed in the system only by digital signature. That is to say, if an android application is not digitally signed, it cannot be installed in the system! Android uses a digital signature to identify the author of an application and establish a trust relationship between the application. It is not used to determine which applications can be installed by the end user. This digital signature is completed by the author of the application and does not need to be authenticated by an authoritative Digital Certificate Signing organization. It is only used to authenticate the application package.
3. What is the digital certificate mechanism?
Android uses the digital certificate-Related Mechanism of Java to add a digital certificate to APK. To understand the digital certificate of Android, you must first understand the concept of the digital certificate and the digital certificate mechanism of Java.

4. Benefits of using the same digital certificate for the program
(1) conducive to program upgrade
When the new version of the program and the old version of the program's digital certificate are the same, the android system will think that the two programs are different versions of the same program. If the digital certificates of the New and Old programs are different, the android system considers them different programs and conflicts with each other, and requires the new program to change the package name. (2) facilitates modular design and development of programs.
The Android system allows a program with the same digital signature to run in a process. The Android program regards them as the same program. Therefore, developers can develop their programs into modules, and users only need to download the appropriate modules as needed. (3) data and code can be shared among multiple programs through permission.
Android provides a digital certificate-based permission granting mechanism. Applications can share functions or data with other programs to those programs that have the same digital certificate as themselves. If the protectionlevel of a permission (permission) is signature, only
Grant programs that have the same digital certificate as the package where the permission is located.

5.The validity period of the digital certificate must be considered during signature.:

(1) The validity period of the digital certificate must include the expected life cycle of the program. Once the digital certificate expires, the program holding the certificate cannot be upgraded normally.

(2) If multiple programs use the same digital certificate, the validity period of the digital certificate should include the estimated life cycle of all programs.

(3) Android Market requires that the digital certificates of all applications be valid until January 1, October 22, 2033.
6. Key Points of digital certificates:

The android digital certificate contains the following key points:

(1)All applications must have digital certificates.Android does not install an application without a digital certificate.

(2) the digital certificate used by the android package can beSelf-signed, No need for an authoritative Digital Certificate Authority signature authentication

(3)To officially release an Android app, you must use a digital certificate generated by a suitable private key to sign the app.Instead of using the debugging certificate generated by the ADT plug-in or ant tool.

(4) digital certificates all haveValidity PeriodAndroid only checks the validity period of the certificate when the application is installed. If the program has been installed in the system, the normal functions of the program will not be affected even if the certificate expires.

(5) Android uses standard Java toolsKeytool and jarsignerTo generate a digital certificate and sign the application package.

6) Use ZipalignOptimization program. We all know that the Android system will not install and run any unsigned APK program, whether on the simulator or on the actual physical device. So we have a question: why do programs run on simulators and real machines without any signature operations during daily development? The following describes two modes of the APK program: debug mode and release mode)

1. debug mode: In debug mode, ADT automatically uses the debug key to sign the application, so we can directly run the program.
Debug key:A file named Debug. keystore
Storage location:C: \ Users \ Xiaopeng \. Android \ Debug. keystore
Replace Xiaopeng with the username of your operating system.
Two risks:The debug Signature Application has two risks:
1) the debug signature application cannot be sold on the Android Market. It forces you to use your own signature;
2) debug. keystore may generate different values on different machines, which means that if you change the machine to an APK version upgrade, the above program cannot overwrite the installation. Don't underestimate this issue. If the program you develop is only used by yourself, of course it doesn't matter. Uninstall and install it. But if your software has a lot of customers, this is a big problem, it is equivalent to the software does not have the upgrade function!
Therefore, you must have your own digital certificate for signature. 2. Release mode ):To publish a program, developers need to use their own digital certificates to sign the APK package.
You can use your own digital certificate to sign the APK:

(1) Use the doscommand to sign the APK.

(2) Use ADT export wizard for signature