My understanding of the signature of the APK file in Android

Previously, I was not very clear about why the developed Android program needs to digitally sign its APK file. I just want to know that it is more legal to protect its copyright, prevent infringement by others. But now, I think this is not just the case. Let's talk about my opinion.

In fact, the Android platform requires each. The APK package (each application archive file) has a digital signature. If no digital signature is available, the corresponding .apk cannot be run. Speaking of this, you may have questions. I didn't sign the app when I used the SDK for development. This is not the case.

Anyone who has developed or learned the Google map application knows the Debug. keystore file (the file is located in the. Android subdirectory of the user's main directory by default ). When we write our own programs in eclipse and run them, they are in the debugging mode. In debug mode, the SDK is stored in debug. the self-Signed debugging key in the keystore file automatically digitally signs your application (because of this signature, the system has automatically configured it for us, so we feel that, we can run the program without a signature ).

Because the debugging keys and key libraries are configured automatically, we do not need to worry about digital signatures when developing Android applications using the SDK. However, if you want to exit the debugging mode and run it outside the ADB, this will not work. This is because you need to manually configure the signature.

The procedure is as follows: Use the keytool command and jarsinger tool. (Of course, the premise is that you have to install JDK and perform operations under DOS)

 

1. An example of using the keytool command to create a self-Signed private key is as follows: (this is just an example and can be modified according to your situation)

C:/program files/Java/jdk1.6.0 _ 10/bin> keytool-genkey-v-keystore key. keystore-alias my_key-keyalg RSA

-Validity 10000

"C:/program files/Java/jdk1.6.0 _ 10/bin" is the path saved by JDK. This command generates a key (-genkey) in detail mode, which uses key. keystore. the keystore file and the alias my_key are used, and the RSA encryption algorithm is used to set the validity period to 10000 days. Enter this command to perform step-by-step operations.

 

2. After creating a private key, you can use jarsigner to sign the application file. Before using this tool, export the .apk file that is not signed for the project. To export a project using the eclipse/ADT environment, right-click the project and choose Android tools> export unsigned application package.

 

The procedure is as follows:

Jarsigner-verbose-keystore key. keystore-signedjar android123_signed.apk android123.apk my_key (this step is closely related to Step 1 and can be executed only after Step 1 is completed)

3. Finally, verify whether the signature is successful, as shown below:

C:/program files/Java/jdk1.6.0 _ 10/bin> jarsigner-verify android123.apk

If yes, the following message is displayed:

Jar verified