Details Android APK package: About APK digital signature in detail

This article mainly explains the contents of the APK digital signature, and introduces the way of the APK debug mode and the digital signature in the release mode.

This article transferred from: http://www.jizhuomi.com/android/environment/293.html

1. What is a digital signature

A digital signature is a sign for your program to be your own, and when someone sees the signature, they know it's relevant to you.

2, why to digital signature

The simplest and most straightforward answer: system requirements.

Android requires every Android app to be digitally signed to install into the system, meaning that if an Android app is not digitally signed, there is no way to install it!

Android uses digital signatures to identify the author of an application and establish a trust relationship between applications, not to determine which applications the end user can install.

This digital signature is done by the author of the application and does not require an authoritative digital certificate signing Authority authentication, which is only used to make the application package self-certified.

3, the mechanism of digital certificate

Android uses a Java digital certificate-related mechanism to give the APK a digital certificate, to understand the digital certificate of Android, you need to first understand the following digital certificate concepts and Java digital certificate mechanism.

4. Benefits of using the same digital certificate for the program

1) Facilitates program upgrade

When the new program and the old version of the program's digital certificate, the Android system will consider the two programs are different versions of the same program. If the new program and the old version of the digital certificate is not the same, then the Android system think they are different programs, and create a conflict, will require the newly-created program to change the package name.

2) facilitates the modular design and development of the program.

Android allows programs with the same digital signature to run in one process, and the Android program treats them as the same program. So developers can develop their own programs into modules, and users only need to download the appropriate modules when needed.

3) You can share data and code across multiple programs in the same way as permissions (permission).

Android provides a digital certificate-based permission-granting mechanism that allows applications to share overviews or data with other programs to those that have the same digital credentials as themselves. If the ProtectionLevel of a permission (permission) is signature, this permission can only be granted to programs that have the same digital certificate as the package in which the permission resides.

5, when signing, you need to consider the validity of the digital certificate

1) The validity period of the digital certificate should include the program's expected life cycle, once the digital certificate expires, the program that holds the digital certificate will not be upgraded properly.

2) If multiple programs use the same digital certificate, the validity period of the digital certificate will include the expected lifetime of all programs.

3) Android market enforces that all application digital certificates are valid until October 22, 2033.

6, the key points of the digital certificate

Android digital certificates include the following points:

1) All applications must have a digital certificate, and the Android system will not install an application without a digital certificate.

2) The digital certificate used by the Android package can be self-signed and does not require an authoritative digital certificate Authority signature authentication.

3) If you want to formally publish an Android, you must use a digital certificate generated by a suitable private key to sign the program, instead of using the ADT plugin or the debug certificate generated by the Ant tool to publish.

4) Digital certificates are valid, and Android only checks the validity of the certificate when the application is installed. If the program is already installed on the system, it does not affect the normal functionality of the program, even if the certificate expires.

5) Android uses standard Java tools Keytool and Jarsigner to generate digital certificates and to sign application packages.

6) Use the Zipalign optimization program.

7, two modes of digital signature

We all know that Android does not install an APK program that runs without a digital signature, whether it is on the emulator or on the actual physical device. So we have a question, why do I not perform any signature operations during the daily development process, and the program will run on the emulator and the real machine? Let's talk about the two modes of the APK program: Debug mode and Release mode

1. Debug mode: In debug mode, ADT automatically uses the debug key to sign the application, so we can run the program directly.

Debug key: A file named Debug.keystore.

Storage location: C:\Users\Xiaopeng\.android\debug.keystore Xiaopeng corresponding to the user name replaced by their operating system

Two risks:

The debug signed application has such two risks:

1) The Debug signature app cannot be sold on Android Market, it will force you to use your own signature;

2) Debug.keystore on different machines may not be the same, it means that if you change the machine for the APK version upgrade, then the above program will not cover the installation of the problem.

Do not belittle this problem, if you develop the program only you use, of course, no matter, uninstall and install it. But if your software has a lot of customer use, this is a big problem, the equivalent of software does not have upgrade features! So be sure to have your own digital certificate to sign.

2, Release mode: When you want to publish the program, the developer will need to use their own digital certificate to the APK package signature.

Two ways to sign the APK with your own digital certificate:

1) sign the APK with a DOS command.

2) Use the ADT Export Wizard to sign.

Recommended by US:

• Technology Blog: mobile app encryption tool parsing
• Technical Blog: A brief analysis on the development tools of Gameplaykit Apple hand Tour
• Technology Blog: Programmer's Choice: several new open source tools in mobile development
  
• Technology Blog: How to prevent apk decompile view source code? Love encryption protects developers ' ideas

Details Android APK package: About APK digital signature in detail