Android digital signature learning notes

All applications installed on the Android systemProgramA digital certificate is required to identify the author of an application and establish a trust relationship between the application. If the protectionlevel of a permission is signature, only applications with the same digital certificate as the program where the permission is located can obtain the permission. Android uses the digital certificate-Related Mechanism of Java to add a digital certificate to APK. To understand the digital certificate of Android, you must first understand the concept of the digital certificate and the digital certificate mechanism of Java. Android requires that every application installed in the system be signed by a digital certificate, and the private key of the digital certificate is stored in the hands of the program developer. Android uses a digital certificate to identify the author of an application and establish a trust relationship between the application, instead of deciding which applications the end user can install. This digital certificate does not need to be authenticated by an authoritative Digital Certificate Signing Authority. It is only used to authenticate the application package.

Multiple programs of the same developer should use the same digital certificate whenever possible, Which can bring the following benefits.

(1) It is conducive to program upgrade. When the digital certificates of the New and Old programs are the same, the android system considers the two programs as different versions of the same program. If the digital certificates of the New and Old programs are different, the android system considers them different programs and conflicts with each other, and requires the new program to change the package name.

(2) facilitates modular design and development of programs. The Android system allows a program with the same digital signature to run in a process. The Android program regards them as the same program. Therefore, developers can develop their programs into modules, and users only need to download the appropriate modules as needed.

(3) You can share data andCode. Android provides a digital certificate-based permission granting mechanism. Applications can share functions or data with other programs to those programs that have the same digital certificate as themselves. If the protectionlevel of a permission (permission) is signature, this permission can only be granted to programs with the same digital certificate as the package where the permission is located.

When signing a signature, consider numbers.Certificate validity period:

(1) The validity period of the digital certificate must include the expected life cycle of the program. Once the digital certificate expires, the program holding the certificate cannot be upgraded normally.

(2) If multiple programs use the same digital certificate, the validity period of the digital certificate should include the estimated life cycle of all programs.

(3) Android Market requires that the digital certificates of all applications be valid until January 1, October 22, 2033.

The android digital certificate contains the following key points:

(1)All applications must have digital certificates.Android does not install an application without a digital certificate.

(2) the digital certificate used by the android package can beSelf-signed, No need for an authoritative Digital Certificate Authority signature authentication

(3)To officially release an Android app, you must use a digital certificate generated by a suitable private key to sign the app.Instead of using the debugging certificate generated by the ADT plug-in or ant tool.

(4) digital certificates all haveValidity PeriodAndroid only checks the validity period of the certificate when the application is installed. If the program has been installed in the system, the normal functions of the program will not be affected even if the certificate expires.

(5) Android uses standard Java toolsKeytool and jarsignerTo generate a digital certificate and sign the application package.

(6) UseZipalignOptimization program.

The Android system does not install and run any unsigned APK program, whether on a simulator or on a physical device. Android development tools (ADT plug-in and ant) can help developers sign the APK program. They both have two modes: debug mode and release mode ).

In the debugging mode, the android development tool uses the digital certificate used for debugging to sign the program at each compilation. Developers do not need to worry about it.

To publish a program, developers need to use their own digital certificates to sign the APK package. There are two methods.

(1) Use JDK and keytool (used to generate digital certificates) and jarsigner (used to sign digital certificates) in the command line to sign the APK package.

(2) Use ADT export wizard for signature (if there is no digital certificate, you may need to generate a digital certificate ).

Use keytool and jarsigner to sign the program

Command:Keytool-genkey-v-keystore Android. keystore-alias Android-keyalg RSA-validity 20000

In this command,-keystore ophone. keystore indicates the generated certificate, and the path can be added (under the user's main directory by default);-alias ophone indicates that the certificate alias is ophone;-keyalg RSA indicates that the RSAAlgorithm-Validity 20000 indicates that the certificate is valid for 20000 days.

At this point, we will see ophone. keystore in the mutual use home directory, that is, the certificate we just created.

Then, sign the program:

Jarsigner usage: [Option] JAR file alias
Jarsigner-verify [Option] JAR File

Run:Jarsigner-verbose-keystore Android. keystore-signedjar android123_signed.apk android123.apk AndroidYou can generate a signed APK file. Here, the input file android123.apk is used to generate the APK execution file signed by Android 123_signed.apk. The password entered below is the same as that entered in keytool. (However, the jarsigner program is not found in my JDK directory. I don't know what is going on)

Use ADT export wizard for signature

Application (APK) signature, in EC, right-click Application project, select

Select the certificate storage path and fill in the relevant information to generate the signed APK file. As shown in:

As shown in, you can also choose "create new keystore" here to create a certificate. Enter the password, click Next, and enter relevant information, as shown in.

Use zipalign to optimize APK

According to the description in the official documents, the application data in the Android system is stored in its APK file and can be accessed by multiple processes. The installation process includes the following steps:

• The installer obtains the permissions information associated with the current application through the manifest file of each APK.
• Home application reads the name and icon of the current APK.
• System server reads information related to application running, for example, obtaining and processing application's communications requests.
• Finally, the APK content is not only used by the current application, but can be called by other applications to improve the reusability of system resources.

The most fundamental purpose of zipalign optimization is to help the operating system index resources based on requests more efficiently and unify the resource-handling code to unify the data structure alignment (Data Structure alignment standard: DSA) it is limited to 4-byte boundaries. If alignment is not adopted, the processor cannot accurately and quickly locate related resources in the memory address. Currently, the fallback mechanism is used in the system to process applications that do not have the DSA standard. This greatly facilitates common developers to focus on tedious memory operations. On the contrary, such an application will bring some trouble to common users, which will not only affect the running efficiency of the program, in addition, the overall execution efficiency of the system is reduced and a large amount of unnecessary memory resources are occupied, or even battery life is consumed ).

Manual Optimization Using command line:

• Use the zipalign tool in the Tools Folder. Call the CMD command line first, and then execute:Zipalign-V 4 source.apk androidres.apk. This method is not restricted by API level and can be used to perform align Optimization on any APK version.
• You can also use the zipalign tool to check whether the current APK has been optimized by align. Command:Zipalign-C-V 4 androidres.apk

Automatic Optimization Using ADT:

• From ADT 0.9.3, you can use the export Wizard to automatically perform the align operation on the published application packages. Setting Method: Right-click the project and choose "android Tools">"Export signed application package...".

To sum up, you can use keytool, jarsigner, and zipalign to sign and optimize the program. In this way, three different tools are required:

Keytool-genkey-v-keystore Android. keystore-alias Android-keyalg RSA-validity 20000

Jarsigner-verbose-keystore Android. keystore-signedjar android123_signed.apk android123.apk android

Zipalign-V 4 android123_signed.apk android123_signed_aligned.apk

Of course, you can also use the export signed application package in the ADT plug-in... The graphic interface is simpler, more visual, and more intuitive.

Reference: blog.csdn.net/zgfee/archive/2009/11/11/4796831.aspx

Android SDK: androidappdocs.appspot.com/guide/publishing/app-signing.html

Android123.com.cn/androidkaifa/173.html

Yarin.javaeye.com/blog/549280

Androidres.com/index.php/2009/10/18/use-zipalign-to-optimize-your-application-packages/