Android Signature Details (debug and release)

Source: Internet
Author: User
1. Why signature?

1) sender authentication

Because developers may use the same package name to confuse and replace the installedProgramTo ensure that the packages with different signatures are not replaced.

2) ensure the integrity of information transmission

The signature process each file in the package to ensure that the content in the package is not replaced.

3) prevent the occurrence of credit in the transaction and the requirements of the market for Software

2. Signature Description

1) All ApplicationsMust have a digital certificateAndroid does not install an application without a digital certificate.

2) the digital certificate used by the android package can be self-Signed and does not require signature authentication by an authoritative Digital Certificate Authority.

3) To officially release an Android Application,A digital certificate must be generated using a suitable private key.Instead of using the debugging certificate generated by the ADT plug-in or ant tool for release.

4) digital certificates are allValid PeriodAndroid only checks the validity period of the certificate when the application is installed. If the program has been installed in the system, the normal functions of the program will not be affected even if the certificate expires.

5) use the signatureZipalignOptimization Program

6) Android uses a digital certificate to identify the author of an application and establish a trust relationship between the application, rather than deciding which applications the end user can install.

3. Signature Method

Three packaging methods are available: command line manual packaging, ant automatic compilation packaging, and eclipse + ADT compilation and packaging. The packaging steps are as follows:

Step 1: generate the R. Java class file:

In eclipse, R. Java is automatically generated. Ant and command line generate R. Java using the aapt. Ext program provided by Android SDK.

Step 2: generate the. aidl file as a. Java file:

Automatically Generated in eclipse. Ant and command line use aidl.exe of Android sdk.exe to generate the. Java file.

Step 3: Compile the. Java class file to generate the class file:

Automatically Generated in eclipse. Ant and command line use JDK javac to compile Java class files to generate class files.

Step 4 package the class file to generate the classes. Dex file:

Automatically Generated in eclipse. Ant and command line generate the classes. Dex file using the DX. Bat command line script provided by Android SDK.

Step 5 package the resource file (including res, assets, and androidmanifest. XML ):

Automatically Generated in eclipse. Ant and command line generate resource package files using aapt.exe of Android sdk6.

Step 6: generate an unsigned APK installation file:

In eclipse, the debug signature file is automatically generated and stored in the bin directory. Ant and the command line generate the unsigned APK Installation File Using the apkbuilder. Bat Command Script provided by the android SDK.

Step 7 sign the unsigned APK to generate the signed Android file:

In eclipse, Android tools is used for signature. Ant and command line use JDK's jarsigner to sign unsigned packages with APK.


3.1 Use eclipse + ADT for signature


A) debug the signature

By default, the Eclipse plug-in grants the program a debug permission signature. The signature program cannot be published to the market. The signature is valid for one year. If it expires, you cannot generate an APK file, now you only need to delete the debug keystore, and the system will generate a new signature valid for one year for you.

B) The developer generates the key and signs the key.

Right-click the project name, select Android tools from the menu, and then select export signed application package to customize the certificate and sign the certificate through eclipse.

C) The developer exports the unsigned package

Right-click the project name, select Android tools from the menu, and then select export signed application package ..., You can export unsigned packages and then sign them using the command line method.

3.2 use command line Signature

Use standard Java tools keytool and jarsigner to generate certificates and sign programs.


A) Generate a signature

$ Keytool-genkey-keystore Keyfile-keyalg RSA-validity 10000-alias Yan

Note: validity is the number of days, Keyfile is the file where the generated key is stored, Yan is the private key, and RSA is the specified encryption.Algorithm(RSA or DSA is available)

B) sign the APK File

$ Jarsigner-verbose-keystore Keyfile-signedjar signed.apk base.apk Yan

Note: For keyfiles' generated keys' files, signed.apkis the appkey behind the signature, base.apk is the unsigned APK, and Yan is the private key.

C) Check whether an APK has been signed

$ Jarsigner-verify my_application.apk

D) optimization (Alignment Optimization is required after the signature)

$ Zipalign-V 4 your_project_name-unaligned.apk your_project_name.apk

3.3 signature compiled in source code

A) use the default signature in the source code.

The default signature is generally used for compiling in the source code, and is run in a source code directory.

$ Mm showcommands can see the Signature command

Android provides the signature program signapk. jar, which is used as follows:

$ Signapk publickey. X509 [. pem] privatekey. pk8 input. Jar output. Jar

*. X509.pem is the public key in X509 format, and pk8 is the private key.

Four default signatures are available in the build/target/product/security directory: testkey platform shared media(see readme.txt), Android in the application. MK has a local_certificate field, which specifies the key used for signature. If it is not specified, testkey is used by default.

B) self-signed in source code

Android provides a script mkkey. sh (build/target/product/security/mkkey. SH. the local_certificate field in MK indicates the signature used.

C) introduction to mkkey. Sh

I. Generate a Public Key

OpenSSL genrsa-3-out testkey. pem 2048

Among them,-3 is the algorithm parameter, 2048 is the key length, and testkey. PEM is the output file.

Ii. Convert to X509 format (including the author's validity period)

OpenSSL req-New-X509-key testkey. PEM-out testkey. x509.pem-days 10000-subj '/C = US/ST = California/L = mountainview/o = Android/ou = Android/CN = Android/emailaddress ='

Iii. Generate a private key

OpenSSL pkcs8-In testkey. pem-topk8-outform der-out testkey. pk8-nocrypt

Convert the format to PKCS #8.-nocryp is specified here, which indicates that it is not encrypted. Therefore, you do not need to enter a password for signing.

4. Signed files

1) The file related to the signature in the APK package is in the meta_inf directory.

CERT. SF: Generate Keys relative to each file

Manifest. MF: digital signature information

Xxx. SF: This is the signature file of the JAR file. The placeholder XXX identifies the signer.

Xxx. DSA: Signature and public key of the output file

2) source code

Development/tools/jarutils/src/COM. anroid. jarutils/signedjarbuilder. Java

Frameworks/base/services/Java/COM/Android/Server/packagemanagerservice. Java

Frameworks/base/CORE/Java/Android/content/PM/packagemanager. Java

Frameworks/base/cmds/PM/src/COM/Android/commands/PM. Java

Dalvik/libcore/security/src/main/Java/security/sign *

Build/target/product/security/platform .*

Build/tools/signapk /*

5. Signature Problems

An error is prompted during installation:Install_parse_failed_inconsistent_certificates

1) two applications with the same name and different signatures

2) The signature of the previous version is added during the upgrade, but not the signature of the later version.

3) When upgrading, the previous version uses the debug signature and the latter uses the custom signature.

4) When upgrading, the previous version is the signature in the android source code.

5.1 view default signature

The APK signature compiled by eclipse is different on different hosts or devices. Eclipse has a default signature. View the signature path:

1) Open eclipse à window à andorid à build. On this build page, find the default debug keysore edit box. The value in the box is the default path of Eclipse's keystore on this device.

2) If the application is not installed due to different signatures, you can replace the original keystore with the keystore on the current device. And restart eclipse. Otherwise, you can only uninstall the APK on the mobile device and reinstall it.

5.2 installation cannot be overwritten

1. Generate your APK by signing, instead of directly copying it from the bottom of the bin directory. The APK of each android executable program has its own signature, as long as the signature is consistent, you can overwrite the installation without uninstalling it;

2. Database Table Structure Changes (add a field, reduce a field, and create a new table ). Normal Database Upgrade Method public void onupgrade (sqlitedatabase dB, int oldversion, int newversion)

3. sharepreferences data has changed, which is similar to the database. For example, the original sharepreferences stores a Boolean value. In the later version, the stored data is changed to string, and the problem arises.

5.3 export a signature

1) Open the CMD console and enter the command: keytool-genkey-alias android. keystore-keyalg RSA-validity 20000-keystore android. keystore, enter the content in sequence as prompted, and remember the password, which will be used later;

2) After the keystore is generated, you can export the signature APK. In eclipse, right-click the project to be signed, and set location to the location of the generated keystore. The password is the password set when the keystore is created. Then, follow the prompts, next, finish, and the signature APK is exported successfully.


5.4 differences between debug signature and release Signature

1) the debug signature application cannot be sold on the Android Market. It forces you to use your own signature. The signature certificate is used in debug mode (Eclipse/ADT and ant compilation by default) since it was created,1Will expire in years.

2) Debug. keystore may generate different values on different machines, which means that if you change the machine to upgrade the APK version, the above program will appear.Installation issues cannot be overwrittenThe software does not have the upgrade function!

6. zipalign simple Optimization 6.1 why Optimization

The android SDK contains a "zipalign" tool that can optimize packaged applications. Running zipalign on your application makes interaction between Android and the application more efficient at runtime. Therefore, this method can make the application and the entire system run faster. We strongly recommend that you use the zipalign tool on new and released programs to get the optimized version, even if your program is developed on the old Android platform.

6.2 how to help improve performance

In Android, data files stored in each application are accessed by multiple processes. The installer reads the manifest file of the application to handle related permissions; the Home application reads the resource file to obtain the application name and icon. The system service reads the resource for many reasons (for example, displaying the Application Notification). In addition, that is, the application itself uses resource files.

In Android, when resource files are aligned to the 4-byte boundary through memory ingCodeIs efficient. However, if the resource itself is not aligned (the zipalign tool is not used), it must return to the old path, read them explicitly-this process will be slow and will consume additional memory.

For application developers, this explicit reading method is quite convenient. It allows different development methods, including normal processes that do not contain aligned resources. Therefore, this reading method is very convenient (for the original meaning of this section, see the original article ).

Unfortunately, for users, this is exactly the opposite-reading resources in an unaligned APK is slow and consumes a lot of memory. The best case is that the Home Program and the unaligned program start slowly than the aligned one (which is also the only visible effect ). The worst case is that installing apps with UN-aligned resources increases the memory pressure and causes the system to repeatedly start and kill processes. Eventually, the user gives up using devices that are so slow and consume power.


6.3 how to optimize

1) Use ADT:

If you use the export wizard, the ADT plug-in eclipse (starting from ver.0.9.3) will automatically align the release package.

Use the wizard, right-click Project properties, and select Android tools à export signed application package. You can also use the first page of the androidmanifest. XML editor.

2) use ant:

The ant compilation script (starting from Android 1.6) can align the package. Versions of the old platform cannot be aligned using the ant compilation script, and must be aligned manually.

Ant automatically alignment and signature packages during compilation in debug mode from Android 1.6.

In release mode, ant performs alignment only if there is sufficient information signature package, because alignment processing occurs after the signature. To sign the package and perform the alignment operation, ant must know the location of the keystore and the name of the key in build. properties. The corresponding attributes are key. Store and key. Alias. If these attributes are empty, the signature tool prompts you to enter the store/key password during the compilation process. Then, the script executes the signature and alignment of the APK file. If none of these attributes exist, the release package will not be signed and will naturally not be aligned.

3) Manual:

To manually align the package, zipalign is available in the tools/folders of Android 1.6 and later sdks. You can use it to align packages of any version. You must sign the APK file and run the following command: zipalign-V 4 source.apk destination.apk

4) Verify alignment:

Zipalign-C-V 4 application.apk

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.