Android Signature Detailed

• 1, what is the signature?
  If this problem is not in the Android development to ask, if it is placed in an ordinary section, I think we all know the meaning of the signature. It is often that some of life's commonly used terminology in the field of computer science, people began to confuse. What does the computer do, or what the programming language does, not simulate reality as much as possible? So, the signature in the computer and the signature in life are the same in nature, and the function that it plays is the same!
  Let's take a look at the signature in real life. Signing means writing your name on paper or elsewhere, or marking it somewhere as a unique sign of yourself, and when someone sees the signature, he will know that it's about you, not someone else.
• 2. Why do I need to sign the Android app?
  If you can only answer this question in a simple sentence, I will say, "This is what the Android system requires."
  Android requires every Android app to be digitally signed to install into the system, meaning that if an Android app is not digitally signed, there is no way to install it! Android uses digital signatures to identify the author of an application and establish a trust relationship between applications, not to determine which applications the end user can install. This digital signature is done by the author of the application and does not require an authoritative digital certificate signing Authority authentication, which is only used to make the application package self-certified.
• 3. Why do I develop Android apps that do not have any signatures to run on the emulator and phone?
  You do not have to sign the Android app and it doesn't mean that the Android app is not signed. To facilitate our development of the debug program, ADT automatically uses the debug key to sign the application. Debug key? Where is it? The Debug key is a file named Debug.keystore and its location:
  system drive letter: \documents and Settings\liufeng\.android\debug.keystore
• "Liufeng" corresponds to your own Windows operating system user name, what, is not already found it. This means that if we want to have our own signature, instead of having ADT sign it for us, we also have a key file (*.keystore) that belongs to you.
• 4. Android App signing step
• 1) Preparatory work
  APK signature work can be done in two ways:
  1) Complete the APK signature via the graphical interface provided by ADT;
•             2) Full DOS command to complete the APK signature
  I prefer the 2nd way, So the following will explain how to complete the APK signature by command. The
         to the APK signed a total of 3 tools, or 3 commands, respectively: Keytool, Jarsigner and Zipalign, the following is a brief introduction to these 3 tools:
              1) Keytool: Generate a digital certificate, which is a key, That is, the type of file with the. keystore extension mentioned above;
• 2) Jarsigner: Use digital certificate to sign APK file;
  3) Zipalign: Optimize the signature apk to improve the efficiency of interacting with Android (Android SDK1.6 version starts with this tool)
  The effects of these 3 tools can also be seen in the order in which these 3 tools are used. Usually all of the applications we develop ourselves use the same signature, that is, using the same digital certificate, which means: If you are signing the Android app for the first time, the 3 tools above will be used, but if you already have a digital certificate and then you sign the other apk later, You just need to use Jarsigner and zipalign to do it.
  To facilitate the use of the above 3 commands, you first need to add the paths of the above 3 tools to the environment variable path (I said it is for ease of use, did not say that this must be done). How to configure the environment variable is not explained here, here you need to say the default path of the 3 tools:
  1) Keytool: The tool is located in the bin directory of the JDK installation path;
• 2) Jarsigner: The tool is located in the bin directory of the JDK installation path;
  3) Zipalign: The tool is located in the Android-sdk-windows\tools\ directory
• It is not known whether people notice that the Keytool and Jarsigner two tools are the JDK, which means that the generation of digital certificates and file signatures is not a patent for Android, and it is also literally understood that the tool is primarily used to sign the jar file, Jarsigner.
• 2) generate an unsigned apk file
  Now that we have to sign the apk ourselves, we no longer need the ADT to sign it for us by default. How do I get an unsigned apk file? open Eclipse, right-click on the Android project name, select "Android Tools"-"Export Unsigned application Package ..." and select a storage location to save. This will get an unsigned apk file.
• 3) Generate a digital certificate using the Keytool tool
  Keytool-genkey-v-keystore liufeng.keystore-alias liufeng.keystore-keyalg rsa-validity 20000
• Description
  1) Keytool is the tool name,-genkey means to generate a digital certificate operation, and-V to print out the details of the generated certificate, displayed in the DOS window;
  2)-keystore Liufeng.keystore indicates the file name of the generated digital certificate is "Liufeng.keystore";
  3)-alias Liufeng.keystore that the certificate alias is "Liufeng.keystore", of course, it can not be the same as the above file name;
  4)-keyalg RSA indicates that the algorithm used to generate the key file is RSA;
  5)-validity 20000 indicates that the digital certificate is valid for 20,000 days, meaning that the certificate will expire after 20,000 days
  When you execute the above command to generate a digital certificate file, you are prompted to enter some information, including the certificate's password.
• 4) sign the Android app with the Jarsigner tool
  Jarsigner-verbose-keystore Liufeng.keystore-signedjar notepad_signed.apk notepad.apk liufeng.keystore
• Description
  1) Jarsigner is the tool name,-verbose indicates the details of the signature process is printed out, displayed in the DOS window;
  2)-keystore Liufeng.keystore indicates the location of the digital certificate used by the signature, there is no write path, which is indicated in the current directory;
  3)-signedjar notepad_signed.apk notepad.apk to notepad.apk file signature, signed file name is notepad_signed.apk;
  4) The last Liufeng.keystore represents the alias of the certificate, which corresponds to the name after the-alias parameter when generating the digital certificate
• 5) Use the Zipalign tool to optimize the signed apk(not required but recommended)
• Zipalign-v 4 notepad_signed.apk notepad_signed_aligned.apk
• Description
  1) zipalign is the tool name, and-V means to print out detailed optimization information in the DOS window;
  2) notepad_signed.apk notepad_signed_aligned.apk indicates that the signed file notepad_signed.apk is optimized, and the optimized file name is Notepad_signed_ aligned.apk
• Description:If your previous program is a default signature (that is, debug signature), once the new signature app will not overwrite the installation, the original program must be uninstalled before it can be installed. Because the program covers the installation main check two points:
  1) The entry activity for the two programs is the same. Two programs if the package name is not the same, even if all the other code is exactly the same, it will not be considered a different version of the same program;
  2) Whether the signatures used by the two programs are the same. If the signatures of the two programs are different, even if the package name is the same, it will not be treated as a different version of the same program and cannot overwrite the installation.
  In addition, someone may think that the debug signature application can be installed anyway, there is no need to sign their own. Don't think so, debug signed applications have such two limitations, or risk:
  1) The Debug signature app cannot be sold on Android Market, it will force you to use your own signature;
  2) Debug.keystore on different machines may not be the same, it means that if you change the machine for the APK version upgrade, then the above program will not cover the installation of the problem. Do not belittle this problem, if you develop the program only you use, of course, no matter, uninstall and install it. But if your software has a lot of customer use, this is a big problem, the equivalent of software does not have upgrade features!

  --------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------

  A few things to note:

  One: Multiple programs of the same developer use the same digital certificate as much as possible , which provides the following benefits.

  (1) in favor of the program upgrade, when the new version of the program and the old program's digital certificate, the Android system will think that the two programs are different versions of the same program. If the new program and the old version of the digital certificate is not the same, then the Android system think they are different programs, and create a conflict, will require the newly-created program to change the package name.

  (2) facilitates the modular design and development of the program. Android allows programs with the same digital signature to run in one process, and the Android program treats them as the same program. So developers can develop their own programs into modules, and users only need to download the appropriate modules when needed.

  (3) Data and code can be shared across multiple programs through permissions (permission). Android provides a digital certificate-based permission-granting mechanism that allows applications to share overviews or data with other programs to those that have the same digital credentials as themselves. If the ProtectionLevel of a permission (permission) is signature, this permission can only be granted to programs that have the same digital certificate as the package in which the permission resides.

  When signing, you need to consider the validity period of the digital certificate :

  (1) The validity period of the digital certificate should include the program's expected life cycle, once the digital certificate expires, the program that holds the digital certificate will not be upgraded properly.

  (2) If multiple programs use the same digital certificate, the validity period of the digital certificate will include the expected lifetime of all programs.

  (3) Android market enforces that all application digital certificates remain valid until October 22, 2033.

  Two: Android digital certificates contain the following points:

  (1) all applications must have a digital certificate and the Android system will not install an application without a digital certificate

  (2) The digital certificate used by the Android package can be self-signed and does not require an authoritative digital certificate Authority signature Authentication

  (3) If you want to formally publish an Android, you must sign the program with a digital certificate generated by a suitable private key , rather than using the ADT plugin or the debug certificate generated by the Ant tool to publish.

  (4) Digital certificates are valid , and Android only checks the validity of the certificate when the application is installed. If the program is already installed on the system, it does not affect the normal functionality of the program, even if the certificate expires.

  (5) Android uses standard Java tools Keytool and Jarsigner to generate digital certificates and to sign application packages.

  (6) Use the zipalign optimization program.

  Android does not install an APK program that runs without a digital signature, either on the emulator or on the actual physical device. Android's development tools (ADT plugin and ANT) can help developers sign the APK program in two modes: Debug mode and Release mode.

  In debug mode, Android's development tools use a debug digital certificate to sign the program each time they compile, and developers don't need to worry about it.

  When you want to publish a program, developers need to use their own digital certificate to sign the APK package, there are two ways to do it.

  (1) Use the Keytool in the JDK (for generating digital certificates) and Jarsigner (for signing with digital certificates) on the command line to sign the APK package.

  (2) Signing with ADT Export Wizard (if no digital certificate may be required to generate a digital certificate).

Android Signature Detailed