Android Signature Detailed (debug and release)

1. Why to sign

1) identity authentication of the sender

Because the developer may be confused by using the same package name to replace the installed program, this ensures that the signature of different packages is not replaced

2) guarantee the integrity of the information transmission

The signature is processed for each file in the package to ensure that the contents of the package are not replaced

3) To prevent the occurrence of repudiation in the transaction, market requirements for the software

2. Description of the signature

1) All applications must have a digital certificate , the Android system will not install an application without a digital certificate

2) The digital certificate used by the Android package can be self-signed and does not require an authoritative digital certificate Authority signature Authentication

3) If you want to formally publish an Android app, you must use a digital certificate generated by a suitable private key to sign the program, instead of using the ADT plugin or the debug certificate generated by the Ant tool to publish

4) Digital certificates are valid , and Android only checks the validity of the certificate when the application is installed. If the program is already installed in the system, even if the certificate expires, it does not affect the normal function of the program

5) Use zipalign optimizer after signature

6) Android uses digital certificates to identify the author of an application and to establish a trust relationship between applications, rather than determining which applications the end user can install

3. How to sign

There are three ways to pack: command-line manual packaging, ant auto-compile packaging, Eclipse+adt compilation packaging, and packaging steps as follows:

The first step is to generate the R.java class file:

R.java,ant is automatically generated in Eclipse and the command line generates R.java using the Aapt.ext program provided by the Android SDK.

The second step is to generate the. aidl file with the. Java class file:

Automatically generated in Eclipse, Ant and the command line generate. java files using the Aidl.exe provided by the Android SDK.

The third step is to compile the. Java class file to generate the class file:

Automatically generated in Eclipse, Ant and the command line generate class files using the JDK's Javac compiled Java class file.

The fourth step is to package the class file to generate the Classes.dex file:

Automatically generated in Eclipse, Ant and the command line generate Classes.dex files using the Dx.bat command line script provided by the Android SDK.

Fifth Step packaging resource files (including res, assets, Androidmanifest.xml, etc.):

Automatically generated in Eclipse, Ant and the command line generate resource bundle files using the Aapt.exe provided by the Android SDK.

The sixth step is to generate an unsigned apk installation file:

The automatic generation of debug signature files in eclipse is stored in the bin directory, and the Ant and command line uses the Apkbuilder.bat command script provided by the Android SDK to generate an unsigned apk installation file.

The seventh step is to sign the unsigned apk to generate the signed Android file:

Using Android tools for signing in Eclipse, Ant and the command line use the JDK's jarsigner to sign an unsigned package with an APK signature.

3.1 Signing with Eclipse+adt method

See: http://jojol-zhou.iteye.com/blog/719428

A) Debug signature

The Eclipse plugin default gives the program a debug permission signature, this signed program cannot be published to the market, this signature is valid for one year, if it expires you can not generate the APK file, at this time you just delete debug KeyStore can, The system will also generate a new signature for you that is valid for one year

b) The developer generates the key and signs it

By right-clicking on the project name, selecting Android Tools from the menu and selecting the export signed application package, you can customize the certificate and sign it through eclipse

c) The developer exports unsigned packages

Right-click on the project name, select Android Tools from the menu, and then select Export Signed Application package ..., and you can import unsigned packages and then sign them by command line

3.2 Signing in command line mode

Use standard Java tools Keytool and Jarsigner to generate certificates and sign programs.

See: http://jojol-zhou.iteye.com/blog/729254

A) Generate signature

$ keytool-genkey-keystore keyfile-keyalg rsa-validity 10000-alias Yan

Note: Validity is the number of days, KeyFile is the file to generate key, Yan is the private key, RSA is the specified encryption algorithm (RSA or DSA available)

b) sign the APK file

$ jarsigner-verbose-keystore keyfile-signedjar signed.apk base.apk Yan

Note: KeyFile is the file to generate key, SIGNED.APK signed apk,base.apk as unsigned Apk,yan as the private key

c) See if an APK has been signed

$ jarsigner-verify my_application.apk

d) Optimization (need to do alignment optimization after signature)

$ zipalign-v 4 your_project_name-unaligned.apk your_project_name.apk

3.3 Signatures compiled in the source code

A) Use the default signature in the source code

In the source code is generally used to compile the default signature, in a source directory with the running

$ mm showcommands can see the signature command

Android provides a signed program Signapk.jar, using the following:

$ signapk Publickey.x509[.pem] Privatekey.pk8 Input.jar Output.jar

*.X509.PEM is the X509 format public key, PK8 is the private key

There are four default signatures available in the Build/target/product/security directory: TestKey platform shared media (see README.txt), there is a android.mk in the application Local_ The certificate field, which specifies which key to sign with, unspecified default with TestKey.

b) Self-signed in source code

Android provides a script mkkey.sh (build/target/product/security/mkkey.sh) that is used to generate the key after it is generated in the application through Android.mk Local_ Certificate field name with which signature

c) mkkey.sh Introduction

I. Generating the public key

OpenSSL genrsa-3-out TESTKEY.PEM 2048

Where-3 is the parameter of the algorithm, 2048 is the key length, TESTKEY.PEM is the output file

II. Convert to X509 format (including author's validity period, etc.)

OpenSSL req-new-x509-key testkey.pem-out testkey.x509.pem-days 10000-subj '/c=us/st=california/l=mountainview/o=and Roid/ou=android/cn=android/[email protected] '

Iii. Generating the private key

OpenSSL pkcs8-in testkey.pem-topk8-outform der-out testkey.pk8-nocrypt

Convert the format to a PKCS #8, where-NOCRYP is specified, which means no encryption, so you don't need to enter a password when signing

4. Documents related to the signature

1) in the Meta_inf directory, the files associated with the signature in the APK package

CERT. SF: Generate a key relative to each file

MANIFEST. MF: Digital signature information

Xxx. SF: This is the signature file for the jar file, and the placeholder xxx identifies the signer

Xxx. DSA: Signing and public key for an output file

2) Related source code

Development/tools/jarutils/src/com.anroid.jarutils/signedjarbuilder.java

Frameworks/base/services/java/com/android/server/packagemanagerservice.java

Frameworks/base/core/java/android/content/pm/packagemanager.java

Frameworks/base/cmds/pm/src/com/android/commands/pm/pm.java

dalvik/libcore/security/src/main/java/java/security/sign*

build/target/product/security/platform.*

build/tools/signapk/*

5. Issues related to signatures

General prompt Error during installation:install_parse_failed_inconsistent_certificates

1) Two applications, same name, different signature

2) Signature of the previous version when upgrading, no signature in the latter version

3) The previous version of the upgrade is a debug signature, and the latter is a custom signature

4) When upgrading the previous version of the Android source code in the sign

5.1 Viewing the default signature

On different machines or on different devices, the APK signature compiled with Eclipse is not the same. Eclipse has a default signature. To view the signature path:

1) Open Eclipseàwindowàandoridàbuild, in this build interface, find the default debug keysore this edit box, the value of which is the keystore of eclipse in this device.

2) If the application is not installed due to a different signature, you can replace the original keystore with the KeyStore on the current device. and restart Eclipse. Otherwise you can only completely uninstall the APK on your mobile device and reinstall it.

5.2 Unable to overwrite installation

1, by signing the way to generate your apk, instead of directly from under the Bin directory to copy, each Android executable apk has its own signature, as long as the signature is consistent, you can overwrite the installation, and do not need to uninstall;

2, the database table structure changes (add a field, reduce a field, the establishment of a new table). Methods for normal database upgrade public void Onupgrade (sqlitedatabase db, int oldversion, int newversion)

3, sharepreferences data has changed, this is similar to the database, such as the original sharepreferences saved a data is a Boolean, in the latter version of the saved data changed to string, the problem arises.

5.3 Exporting signatures

1) Open cmd console, enter command: Keytool-genkey-alias android.keystore-keyalg rsa-validity 20000-keystore Android.keystore, follow the prompts to fill in the contents, and remember the password, the latter will be used;

2) After generating good keystore, you can export the signature apk. In Eclipse, right-click the project that needs to be signed Àandroid Toolsàexport signed application package,location the location of the generated KeyStore, the password that was set when the KeyStore was created, Then follow the prompts, Next, and finally finish, to successfully export the signature apk.

See: http://blog.csdn.net/yiwanxinyuefml/article/details/6765129

5.4 Debug signature and release signature differences

1) The debug signature application cannot be sold on Android Market, it will force you to use your own signature; the certificate used for signing in debug mode (default is Eclipse/adt and ant compilation) since its creation,1 Will expire after years .

2) Debug.keystore on different machines may not be the same, it means that if you change the machine for APK version upgrade, then the above program will not cover the installation of the problem , the equivalent of software does not have the upgrade function!

6. Zipalign Simple Optimization6.1 Why to optimize

The Android SDK includes a "zipalign" tool that optimizes packaged applications. Run Zipalign on your application to make the interaction between Android and the application more efficient at run time. As a result, this approach allows applications and the entire system to run faster. We strongly recommend using the Zipalign tool on new and published programs to get an optimized version-even if your program was developed under an older version of Android.

6.2 How to help improve performance

In Android, data files stored in each application are accessed by multiple processes, and the installer reads the application's manifest file to handle permissions issues associated with it; the home application reads the resource file to get the name and icon of the application The system service reads the resource for a number of reasons (for example, displaying the application's notification), and the application itself uses the resource file.

In Android, the code that accesses a resource file is efficient when the resource file is aligned to a 4-byte boundary through memory mapping. However, if the resource itself is not aligned (without using the Zipalign tool), it must go back to the old path and explicitly read them-the process will be slow and will cost extra memory.

This explicit reading is quite handy for application developers. It allows for the use of a number of different development methods, including resources that are not aligned in the normal process, so this reading is very convenient (please refer to the original meaning of this paragraph).

Unfortunately, for the user, the situation is exactly the opposite-the never-aligned apk reads resources slowly and spends more memory. The best case scenario is that the home program and the unaligned program start slower than the alignment (which is also the only visible effect). In the worst case scenario, installing an application that does not align resources increases the memory pressure and therefore causes the system to start and kill the process repeatedly. Eventually, the user abandons the use of a device that is so slow and consumes power.

6.3 How to optimize

1) Use ADT:

If you use the Export Wizard, the ADT plugin in eclipse (starting with ver.0.9.3) will automatically align the release package.

Using the wizard, right-click the project properties and select Android Toolsàexport signed application package. Of course, you can also do this through the first page of the Androidmanifest.xml editor.

2) using Ant:

The ant compilation script (starting with Android 1.6) can align the package. Versions of the old platform cannot be aligned with the ant compilation script and must be manually aligned.

Starting with Android 1.6, when you compile in debug mode, Ant automatically signs the package to the alignment.

In release mode, if there is enough information to sign the package, Ant does the alignment because the alignment occurs after the signature. In order to be able to sign the package and then perform the alignment operation, Ant must know the location of the KeyStore and the name of key in Build.properties. The corresponding property names are Key.store and Key.alias. If these properties are empty, the signing tool prompts for the Store/key password during compilation, and the script performs the alignment of the signature and the APK file. If none of these properties are in place, the release package will not be signed and will naturally not be aligned.

3) Manual:

In order to be able to manually align packages, Android 1.6 and later SDKs have zipalign tools under the tools/folder. You can use it to align packages under any version. You must do this after signing the APK file, using the following command: Zipalign-v 4 source.apk destination.apk

4) Verify the alignment:

Zipalign-c-V 4 application.apk

Android Signature Detailed (debug and release)