Research on the signature of Android installation package

1. First, why Android needs to sign the installation package:

All Android applications require a developer to digitally sign a certificate before it is released, and the anroid system does not install a program that is not signed.
Usually our program can be installed and run on the emulator, because during application development, because the debug interview is compiled, so ADT will automatically use the default key and certificate to sign, and in the release mode, the APK file will not be automatically signed. This requires a manual signature.

Signing the APK can provide the following benefits:
1. Application Upgrade: If you want users to seamlessly upgrade to a new version, you must sign with the same certificate. This is because only the same certificate is signed and the system is allowed to install the upgraded application. If you have a different certificate, your application will be asked to take a different package name, in which case it is equivalent to installing a completely new application. If you want to upgrade the application, the signing certificate must be the same, the package name is the same!
2. Application modularity: The Android system can allow multiple applications signed by the same certificate to run in one process, the system actually uses them as a single application, we can deploy our application in a modular way, and users can upgrade one of the modules independently.
3. Code or data sharing: Android provides a signature-based permission mechanism, so one application can expose its functionality to another application that is signed with the same certificate. By signing multiple applications with the same certificate and leveraging signature-based permission checks, you can share code and data in a secure way between applications.

－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

2. What is a re-signature and when does it need to be re-signed? How do I re-sign?

The so-called re-signing is to replace the certificate ID and signature information before the installation package, and then regenerate a new certificate and signature. It is often necessary to automate tests or to replace the resources in the installation package.

How to re-sign:
Method One:

1. Rename the APK package to the end of. zip. Delete the Meta-inf folder when you open it. Then change the suffix back to. apk.

2. Copy the new certificate (Debug.keystore) to the same directory as the apk file that needs to be re-signed (for example, copy to D:\Sign);

3. Open the terminal, or command line, enter the D:\Sign directory and run the following command
Jarsigner-verbose-keystore debug.keystore-storepass Android-signedjar phonebook_signed.apk-digestalg sha1-sigalg MD 5withRSA phonebook.apk Androiddebugkey/* Explanation:-jarsigner is the signature tool for Java-verbose parameter representation: Displays the signature details-keystore indicates the use of the Debug.keystore signing certificate file in the current directory-storepass Android represents KeyStore Password: "Android"-signedjar phonebook_signed.apk indicates that the APK name generated after the signature phonebook.apk represents an unsigned apk Android software-digestalg Sha1-sigalg Md5withrsa: This is the parameter that must be added if you are JDK 1.6 and is not affected-androiddebugkey represents the key alias.

Method Two: Use the third-party re-signing tool. Don't repeat it here.

－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

3. How do I view the installation package signature information?

command line or terminal execution jarsigner-verify-verbose-certs xxx.apk click Enter.

Research on the signature of Android installation package