Android signature tutorial

Source: Internet
Author: User
Tags dname rfc

In Android, all applications installed on the system must have a digital certificate used to identify the author of the application and establish a trust relationship between the application, if the protectionlevel of a permission is signature, only applications with the same digital certificate as the program where the permission is located can obtain this permission. Android uses the digital certificate-Related Mechanism of Java to add a digital certificate to APK. To understand the digital certificate of Android, you must first understand the concept of the digital certificate and the digital certificate mechanism of Java. The Android system requires that every application installed in the system be signed by a digital certificate, and the private key of the digital certificate is stored in the hands of the program developer. Android uses a digital certificate to identify the author of an application and establish a trusted relationship between the application, instead of deciding which applications the end user can install. This digital certificate does not need to be authenticated by an authoritative Digital Certificate Signing Authority. It is only used to authenticate the application package.
Google also uses the android signature mechanism for the security of the entire platform. Of course, we can use sun's JAR file signing tool jarsigner here. Here we need to know some questions. Why should we sign it? In fact, software installed on the host G1 must be signed.

The software we download on the Android Market usually requires signatures. Therefore, this operation is inevitable during upload, the general signature steps show how to use keytool and jarsigner to create an APK file for the android signature. Google is well designed, and it does not cost 200 USD per test for the s60 third and fifth editions like Symbian, if the zipexception Invalid entry compressed size error method is encountered, we were unable to sign the jar in the past. As mentioned in the android jarsigner question, the main reason is that the ADT plug-in used by eclipse has granted the debug permission to the digital signature. We can solve this problem by exporting an unsigned APK file, for more information, see How to export an unsigned APK file? The signature can be successfully signed.

1. Multiple programs of the same developer should use the same digital certificate as much as possible, which can bring the following benefits.
(1) It is conducive to program upgrade. When the digital certificates of the New and Old programs are the same, the android system considers the two programs as different versions of the same program. If the digital certificates of the New and Old programs are different, the android system considers them different programs and conflicts with each other, and requires the new program to change the package name.
(2) facilitates modular design and development of programs. The Android system allows a program with the same digital signature to run in a process. The Android program regards them as the same program. Therefore, developers can develop their programs into modules, and users only need to download the appropriate modules as needed.
(3) data and code can be shared among multiple programs through permission. Android provides a digital certificate-based permission granting mechanism. Applications can share functions or data with other programs to those programs that have the same digital certificate as themselves. If the protectionlevel of a permission (permission) is signature, this permission can only be granted to programs with the same digital certificate as the package where the permission is located.

When signing a certificate, you must consider the validity period of the digital certificate:
(1) The validity period of the digital certificate must include the expected life cycle of the program. Once the digital certificate expires, the program holding the certificate cannot be upgraded normally.
(2) If multiple programs use the same digital certificate, the validity period of the digital certificate should include the estimated life cycle of all programs.
(3) Android Market requires that the digital certificates of all applications be valid until January 1, October 22, 2033.

2. the android digital certificate contains the following key points:
(1) All applications must have digital certificates. Android does not install an application without digital certificates.
(2) the digital certificate used by the android package can be self-Signed and does not require signature authentication by an authoritative Digital Certificate Authority.
(3) To officially release an Android app, you must use a digital certificate generated by a suitable private key to sign the app, rather than using the debugging certificate generated by the ADT plug-in or ant tool for release.
(4) digital certificates are valid. Android only checks the validity period of the certificate when the application is installed. If the program has been installed in the system, the normal functions of the program will not be affected even if the certificate expires.
(5) Android uses the standard Java tool keytool and jarsigner to generate a digital certificate and sign the application package.
(6) use the zipalign optimization program.

The Android system does not install and run any unsigned APK program, whether on a simulator or on a physical device. Android development tools (ADT plug-ins and ant) can help developers sign the APK program in two modes: debug mode) and release mode ).
In the debugging mode, the android development tool uses the digital certificate used for debugging to sign the program at each compilation. Developers do not need to worry about it.
To publish a program, developers need to use their own digital certificates to sign the APK package. There are two methods.
(1) Use JDK and keytool (used to generate digital certificates) and jarsigner (used to sign digital certificates) in the command line to sign the APK package.
(2) Use ADT export wizard for signature (if there is no digital certificate, you may need to generate a digital certificate ).

Iii. Two signature methods

First signature method: Use keytool and jarsigner to sign the program (for versions earlier than 1.5)
Command: keytool-genkey-v-keystore Android. keystore-alias Android-keyalg RSA-validity 20000
In this command,-keystore ophone. keystore indicates the generated certificate, and the path can be added (under the user's main directory by default);-alias ophone indicates that the certificate alias is ophone;-keyalg RSA indicates that the RSA algorithm is used; -validity 20000 indicates that the certificate is valid for 20000 days.

The signature of the android program and Symbian can both be self-signed (self-signed). However, in the early stage of the certificate on the Android platform, programs uploaded through the ADB interface during normal development will be automatically signed for programs with the debug permission. Signature verification is required when you upload a program to the Android Market. Android signed Creation Method
First, users who did not install JDK during Android development download jdkhttp: // www.java.net/download/jdk... 6-p-12_sep_2008.exe from the official website of sun. In fact, they only need keytool and jarsigner.
Detailed signature steps:
Step 1
C: \ Program Files \ Java \ jdk1.6.0 _ 10 \ bin> keytool-genkey-alias android123.keystore
-Keyalg RSA-validity 20000-keystore android123.keystore
Enter the keystore password: [do not display the password]
Enter the new password again: [do not display the password]
What is your first name and last name?
[UNKNOWN]: android123
What is the name of your organization?
[UNKNOWN]: www.android123.com.cn
What is your organization name?
[UNKNOWN]: www.android123.com.cn
What is your organization name?
[UNKNOWN]: www.android123.com.cn
What is the name of your city or region?
[UNKNOWN]: New York
What is the name of your state or province?
[UNKNOWN]: New York
What is the two-letter country code for this unit?
[UNKNOWN]: CN
CN = android123, ou = www.android123.com.cn, O = www.android123.com.cn, L = New York, St
= New York, c = cn?
[No]: Y
Enter the primary password of <android123.keystore>
(If the password is the same as the keystore password, press Enter ):
Here, the parameter-validity indicates the number of days valid for the certificate. Here we write a maximum of 20000 days. There is also no echo when entering the password, just enter it. Generally, 20 bits are recommended for the number of digits, and you need to remember to use them later. The whole process is as follows:
Next, we will sign the APK file.

Step 2
Execute the following statement: jarsigner-verbose-keystore android123.keystore-signedjar android123_signed.apk android123.apk android123.keystore keystore is the APK execution file signed by Android. The password entered below is the same as that entered in keytool.
For Android program publishing and signing, you can view the http://code.google.com/android/devel/sign-publish.html article in the SDK.
The keytool parameters and jarsigner parameters are attached:
Keytool usage:
-Certreq [-V] [-protected]
[-Alias <alias>] [-sigalg <sigalg>]
[-File <csr_file>] [-keypass <keystore password>]
[-Keystore <keystore>] [-storepass <keystore password>]
[-Storetype <storage type>] [-providername <Name>]
[-Providerclass <provider Class Name> [-providerarg <parameter>]...
[-Providerpath <path list>]
-Changealias [-V] [-protected]-alias <alias>-destalias <target alias>
[-Keypass <keystore password>]
[-Keystore <keystore>] [-storepass <keystore password>]
[-Storetype <storage type>] [-providername <Name>]
[-Providerclass <provider Class Name> [-providerarg <parameter>]...
[-Providerpath <path list>]
-Delete [-V] [-protected]-alias <alias>
[-Keystore <keystore>] [-storepass <keystore password>]
[-Storetype <storage type>] [-providername <Name>]
[-Providerclass <provider Class Name> [-providerarg <parameter>]...
[-Providerpath <path list>]
-Exportcert [-V] [-RFC] [-protected]
[-Alias <alias>] [-file <authentication File>]
[-Keystore <keystore>] [-storepass <keystore password>]
[-Storetype <storage type>] [-providername <Name>]
[-Providerclass <provider Class Name> [-providerarg <parameter>]...
[-Providerpath <path list>]
-Genkeypair [-V] [-protected]
[-Alias <alias>]
[-Keyalg <keyalg>] [-keysize <key size>]
[-Sigalg <sigalg>] [-dname <dname>]
[-Validity <valdays>] [-keypass <keystore password>]
[-Keystore <keystore>] [-storepass <keystore password>]
[-Storetype <storage type>] [-providername <Name>]
[-Providerclass <provider Class Name> [-providerarg <parameter>]...
[-Providerpath <path list>]
-Genseckey [-V] [-protected]
[-Alias <alias>] [-keypass <keystore password>]
[-Keyalg <keyalg>] [-keysize <key size>]
[-Keystore <keystore>] [-storepass <keystore password>]
[-Storetype <storage type>] [-providername <Name>]
[-Providerclass <provider Class Name> [-providerarg <parameter>]...
[-Providerpath <path list>]
-Help
-Importcert [-V] [-noprompt] [-trustcacerts] [-protected]
[-Alias <alias>]
[-File <authentication File>] [-keypass <keystore password>]
[-Keystore <keystore>] [-storepass <keystore password>]
[-Storetype <storage type>] [-providername <Name>]
[-Providerclass <provider Class Name> [-providerarg <parameter>]...
[-Providerpath <path list>]
-Importkeystore [-v]
[-Srckeystore <source keystore>] [-destkeystore <target keystore>]
[-Srcstoretype <source storage type>] [-deststoretype <target storage type>]
[-Srcstorepass <source repository password>] [-deststorepass <target repository password>]
[-Srcprotected] [-destprotected]
[-Srcprovidername <source provider name>]
[-Destprovidername <target provider name>]
[-Srcalias <source alias> [-destalias <target alias>]
[-Srckeypass <source keystore password>] [-destkeypass <target keystore password>]
[-Noprompt]
[-Providerclass <provider Class Name> [-providerarg <parameter>]...
[-Providerpath <path list>]
-Keypasswd [-V] [-alias <alias>]
[-Keypass <old keystore password>] [-New <New keystore password>]
[-Keystore <keystore>] [-storepass <keystore password>]
[-Storetype <storage type>] [-providername <Name>]
[-Providerclass <provider Class Name> [-providerarg <parameter>]...
[-Providerpath <path list>]
-List [-v |-RFC] [-protected]
[-Alias <alias>]
[-Keystore <keystore>] [-storepass <keystore password>]
[-Storetype <storage type>] [-providername <Name>]
[-Providerclass <provider Class Name> [-providerarg <parameter>]...
[-Providerpath <path list>]
-Printcert [-V] [-file <authentication File>]
-Storepasswd [-V] [-New <new repository password>]
[-Keystore <keystore>] [-storepass <keystore password>]
[-Storetype <storage type>] [-providername <Name>]
[-Providerclass <provider Class Name> [-providerarg <parameter>]...
[-Providerpath <path list>]
Jarsigner usage: [Option] JAR file alias
Jarsigner-verify [Option] JAR File
[-Keystore <URL>] keystore location
[-Storepass <password>] password used for keystore integrity
[-Storetype <type>] keystore type
[-Keypass <password>] private key password (if different)
[-Sigfile <File>]. SF/. DSA file name
[-Signedjar <File>] Name of the signed JAR File
[-Digestalg <algorithm>] Name of the digest algorithm
[-Sigalg <algorithm>] signature algorithm name
[-Verify] Verify the signed JAR File
[-Verbose] Output details during signature/Verification
[-Certs] outputs details and displays the certificate during verification
[-TSA <URL>] Location of the timestamp Mechanism
[-Tsacert <alias>] Public Key Certificate of the time stamp organization
[-Altsigner <class>] Class Name of the alternative signature mechanism
[-Altsignerpath <path list>] Location of the alternative signature mechanism
[-Internalsf] contains the. SF file in the signature block.
[-Sectionsonly] does not calculate the hash of the entire list
[-Protected] keystore protected authentication path
[-Providername <Name>] provider name
[-Providerclass <class> name of the encryption service provider
[-Providerarg <parameter>]... main class file and constructor Parameters
At this point, we will see ophone. keystore in the mutual use home directory, that is, the certificate we just created.

Method 2: Introduce the APK signature method for Android 1.5 and later versions.

1. Open eclipse-> select the project you want to sign-> right-click-> Android tools-> export signed application package...

2. Exit the window

3. If the project checks check item name is correct, click Next.
Then, jump out of the keystore selection. If there is an existing keystore file, select and enter the keystore password next to sign it.
If not, select create new keystore and then select the location where the keystore is saved, set the keystore password, and click Next.

 

4. Enter the basic information of the keystore, such as, alias, password, validity period, name, organization, organization name, city, province, and country. click Next.

5. Select the Save location of the signed APK. Click Finish.

6. You can find the corresponding signed APK file in your saved location.

The preceding signature is applicable only to android1.5 and later versions. Thank you.
Thank you for your help.

Android signature tutorial Document Download: Android signature tutorial

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.