Android app Signing

This article focuses on the theoretical knowledge of Android application signatures and how to publish Android apps.

1.the concept of signature

A signature that is familiar to a person's daily life, it is a special mark on behalf of someone, used to uniquely identify someone. While the nature of the signature of an Android application is the same as the signature in everyday life, the signature in the application is also a special tag that the developer plays in the application, and when someone sees this tag, he will know that the application is relevant to you or that you have developed it. And not others.

2.Androidmust the application be signed?

Yes,Google 's published Android system requires that each published application be signed. the signing of the Android application is used to establish a trust relationship between the program developer and the package, and when the application is updated,theandroid system requires a new / the signatures of the old two applications must be identical.

Unlike signing on Windows,Android signatures do not require authoritative digital Certificate Authority authentication and are not used to determine which applications the end user can install. It is the program's author's own completion, is the Android System in the package of a self-certification mechanism.

3.DebugSignature

If you are a newly-started developer, you will find that the application you are developing is not signed or installed on the Android machine because the ADT tool uses The debug digital certificate ( which exists in debug.keystore) is automatically used for each development phase of the application Debug signature.

Debug.keystore is also known as the debug keystore , which is required when signing the app , and is installed when you use eclips ADT(Android development Tools) plugin,ADT comes with Debug KeyStore (also known as Testimony Library, because *.keystore is used to store digital certificates), the file is placed in:

System disk: \users\zhangsan\.android\ Debug.keystore. There may be subtle differences in the location of the different system key libraries.

Typically, applications in the development phase do not require authors to create their own KeyStore files (*.keystore), But if you want to publish an already developed application you must use your own signature,debug signed applications are not published to the store.

4.How to sign an application

the signature of the App can be done in two ways, using The graphical interface provided by ADT, or using a command line (DOS) command to sign.

1) graphical tool for signingFirst step: Export

Select Project - right - ->export export Android application(here I use zhgl Demo of this Android App project)

Step Two: Select theappEngineering

Step three: Create a KeyStore(*.keystore)

The first time you use the Select Create new KeyStore, specify the location where thekeystore (. keystore) is stored: C:\Users\chen.jian\Desktop\ Androidsignature, and set the KeyStore password.

PS: The key can be signed for multiple applications Oh, it is recommended that developers have a keystore on the line.

Fourth step: Create a signing certificate

The concept of Signing certificate: In the real environment, the certificate will carry the author / certificate content and other related information, then there will be issued a certificate authority signature or seal, and the signing certificate here is essentially the same, you set the password equivalent to the signature, the signature tool will use this password to apk for encryption.

--alias: Key store Aliases (the author is self-setting, case-insensitive, KeyStore can hold multiple signing certificates (digital certificates), different apps suggest creating different signing certificates)

--Password: Key Password

--validity: Validity period of signing certificate

Fifth step: Generate a signedapkfile

Sixth step: Use the created certificate toapkto sign.

2)DOScommand to sign

three tools are required to sign the apk in a DOS environment : Keytool,jarsigner, Zipalign

• Keytool: Create a KeyStore, create a digital certificate, in the bin installation directory of the JDK ( for example:C:\Program Files\java\jdk1.6.0_10\bin)
• Jarsigner: The apk is signed and also in the bin installation directory of the JDK
• Zipalign: Optimized the signature apk file to improve the execution efficiency of the virtual machine, which exists in the tools Directory of the SDK ( eg:D:\android-sdk-windows\tools\)

It can be seen that the apk signature is not a patent for Android , but the beginning of the Java era has existed.

PS: If you want to use these tools in a DOS Environment, you need to add them to the environment variables in Windows .

The first step: Export unsignedapkfile

Step Two: UseKeytoolCreate a digital certificate

Keytool-genkey-v-keystore chenjian.keystore-alias androidkeystore_v1-keyalg rsa-validity 20000

Description

• Keytool is the tool name,-genkey means to generate a digital certificate operation, and-v to print out the details of the generated certificate, shown in dos the window;
• -keystore Chenjian.keystore indicates the file name of the generated digital certificate is "Chenjian. KeyStore";
• -alias ANDROIDKEYSTORE_V1 indicates that the certificate alias is "Androidkeystore_v1";
• -keyalg RSA indicates that the algorithm used to generate the key file is RSA;
• -validity 20000 indicates that the digital certificate is valid for 20000 days, which means that the certificate will expire after 20000 days

When you execute the above command to generate a digital certificate file, you are prompted to enter some information, including the certificate's password.

The key library will be placed in the current directory C:\Users\chen.jian\ Chenjian.keystore, you can also specify the directory yourself.

The third step is to useJarsignerGiveappSignature:

Jarsigner-verbose-keystore Chenjian.keystore-signedjar signed_zhgl.apk unsigned_zhgl.apk androidkeystore_v1

Description

• Jarsigner is the tool name,-verbose indicates that the details of the signature process are printed out and displayed in a dos window;
• -keystore Chenjian.keystore represents the location of the digital certificate used by the signature, there is no write path, which is indicated in the current directory;
• -signedjar signed_zhgl.apk unsigned_zhgl.apk to unsigned_zhgl.apk file signature, signed file name is Signed_zhgl.apk;

The last AndroidKeystore_v1 represents the alias of the certificate, which corresponds to the name after the-alias parameter when generating the digital certificate.

Fourth Step optimizationapp:

Zipalign-v 4 signed_zhgl.apk signed_aligned_zhgl.apk

Description

• Zipalign is the tool name, and-v means that detailed optimization information is printed in the DOS window;
• signed_zhgl.apk signed_aligned_zhgl.apk indicates that the signed file signed_zhgl.apk is optimized and the optimized file name is signed_aligned_ zhgl.apk
• Note: If your previous program is a default signature (i.e. debug signature), once the new signature application will not overwrite the installation, the original program must be uninstalled before it can be installed. Because the program covers the installation main check two points:
• The entry Activity for both programs is the same. Two programs if the package name is not the same, even if all the other code is exactly the same, it will not be considered a different version of the same program;
• Whether the signatures used by the two programs are the same. If the signatures of the two programs are different, even if the package name is the same, it will not be treated as a different version of the same program and cannot overwrite the installation.
• In addition, someone may think that the debug Signature application can be installed anyway, there is no need to sign their own. Don't think so,debug signed applications have such two limitations, or risk:
• The debug signature app cannot be sold on Android Market, it will force you to use your own signature;

Debug.keystore on different machines may not be the same, which means that if you change the machine for apk version upgrade, then the above program will not cover the installation of the problem. Do not belittle this problem, if you develop the program only you use, of course, no matter, uninstall and install it. But if your software has a lot of customer use, this is a big problem, the equivalent of software does not have upgrade features!

5.Digital Certificate Usage1) Advantages of sharing digital certificates

• In favor of the program upgrade, when the new version of the program and the old program's digital certificate, theAndroid system will think that the two programs are different versions of the same program. If the new program and the old version of the digital certificate is not the same, then the Android system think they are different programs, and create a conflict, will require the newly-created program to change the package name.
• facilitates the modular design and development of the program. Android The system allows a program with the same digital signature to run in a process, Android The program treats them as the same program. So developers can develop their own programs into modules, and users only need to download the appropriate modules when needed.
• You can share data and code among multiple programs through Permissions (permission) . Android provides a digital certificate-based permission-granting mechanism that allows applications to share overviews or data with other programs to those that have the same digital credentials as themselves. If the protectionlevel of a permission (permission) is signature, This permission can only be granted to programs that have the same digital certificate as the package in which the permission resides.

2) The validity period of the digital certificate

• The validity period of a digital certificate is to include the program's expected life cycle, and once the digital certificate expires, the program that holds the digital certificate will not upgrade properly.
• If multiple programs use the same digital certificate, the validity period of the digital certificate includes the expected life cycle of all programs.
• Android Market enforces that all application digital certificates are valid for a period of 2033 years after the date of the month .

3) key points of digital certificates

• the digital certificate used by the Android package can be self-signed and does not require an authoritative digital certificate Authority signature Authentication
• If you want to formally publish an Android, you must use a digital certificate generated by a suitable private key to sign the program, instead of using the ADT plugin or ant  The tool generates a debug certificate to publish.
• Digital certificates are valid, andAndroid only checks the validity of the certificate when the application is installed. If the program is already installed on the system, it does not affect the normal functionality of the program, even if the certificate expires.
• Android uses standard java tools Keytool and Jarsigner to generate digital certificates and to sign application packages.

6.Publish the Application

The process of publishing apps on Google Play is available on the Web , and I'll just briefly describe how the application is published in the domestic app Store .

The first step: first you have to have a single account, The account is universal (can be in the security guard, mobile assistant, publishing applications ... ), unlike ordinary accounts, if you want to publish the software in the App Store, you have to do real-name authentication, hand-held ID photos.

Step Two: Login http://dev.360.cn/ Select Publish Application , enter new page and select Create software

Step three: Follow the prompts to fill in the relevant information of the software , it is worth noting that the upload image size has special requirements, it is best to see clearly after the screenshot, editing, otherwise it will waste a lot of time.

Fourth step: Wait for the audit to pass

PS: After registering a developer account, you can choose the functions of starting, cloud testing, software hardening, and advertising access.

Android app Signing