Signing Your Applications (Android signature related)

Source: Internet
Author: User

In this document
    1. Signing Overview
      1. Signing in Debug Mode
      2. Signing in Release Mode
      3. Signing Android Wear Apps
    2. Signing Your App in Android Studio
      1. Automatically Signing Your App
    3. Signing Your App with Android Studio
    4. Signing Considerations
    5. Securing Your Private Key
    6. Expiry of the Debug Certificate
    7. Signing Your App Manually
Signing Your Applications

Android requires that all apps is digitally signed with a certificate before they can be installed. Android uses this certificate to identify the author of an app, and the certificate does not need to being signed by a certif Icate Authority. Android apps often use self-signed certificates. The app developer holds the certificate ' s private key.

Signing Overview

You can sign a app in debug or Release mode. The Your app in debug mode during development and in release mode is the ready to distribute your app. The Android SDK generates a certificate to sign apps in debug mode. To sign apps in release mode, you need to generate your own certificate.

Signing in Debug Mode

In debug mode, your sign your app with a debug certificate generated by the Android SDK tools. This certificate have a private key with a known password, so can run and debug your app without typing the password EV ery time to your project.

Android Studio signs your app in debug mode automatically if you run or debug your project from the IDE.

You can run and debug a app signed in debug mode on the emulator and on devices connected to your development manchine th Rough USB, but you cannot distribute a app signed in debug mode.

By default, the debug configuration uses a debug KeyStore, with a known password and a default key with a known P Assword. The debug KeyStore are located in $HOME/.android/debug.keystore, and are created if not present. The Debug build type is set by use of this debug SigningConfig automatically.

For more information on how to build and run apps in debug mode, see Building and Running.

Signing in Release Mode

In release mode, the your app with your own certificate:

  1. Create a keystore. A keystore is a binary file, that contains a set of the private keys. You must keep your keystore in a safe and secure place.
  2. Create a private key. A private key represents the entity to being identified with the app, such as a person or a company.
  3. ADD the signing configuration to the build file for the app module:

    ...
    Android{
    ...
    Defaultconfig{ ... }
    Signingconfigs{
    Release{
    StoreFile file("Myreleasekey.keystore")
    Storepassword"Password"
    Keyalias "Myreleasekey"
                Keypassword "password"
            }
        }
        buildtypes {
            release {
               
                Signingconfig signingconfigs.release
            }
        }
    }
    ...
  4. Invoke the assembleRelease build task from Android Studio.

The signed with app/build/apk/app-release.apk your release key.

Note: Including the passwords for your release key and KeyStore inside the build file are not a good security practice. Alternatively, you can configure the build file to obtain these passwords from environment variables or the build Pro Cess prompt you for these passwords.

To obtain these passwords from environment variables:

System.  getenv("Kstorepwd")
System. getenv("Keypwd")

To has the build process prompt you for these passwords if is invoking the build from the command line:

System.  Console().  ReadLine("\nkeystore password:")
System. Console(). ReadLine("\nkey password:")

You can distribute your apps and publish it on Google Play.

Warning: Keep your keystore and private key in a safe and secure place, and ensure so you have secure backups of them. If you publish a app to Google Play and then lose the key with which your signed your app, you'll not being able to publish Any updates to your app, since your must always sign all versions of your apps with the same key.

The rest of this document provides detailed instructions what to generate a private key and sign your apps in release Mode with Android Studio.

Signing Android Wear Apps

When publishing Android Wear apps, your package the wearable app inside of a handheld app, because users cannot browse and Install apps directly on the wearable. Both apps must be signed. For more information on packaging and signing Android Wear apps, see packaging wearable apps.

Signing Your App in Android Studio

To sign your apps in release mode in Android Studio, follow these steps:

  1. On the menu bar, click Build > Generate signed APK.
  2. On the Generate signed APK Wizard window, click Create new to create a new keystore.

    If you already has a keystore, go to step 4.

  3. On the New Key Store window, provide the required information as shown in Figure 1.

    Your key should is valid for at least years, so can sign app updates with the same key through the lifespan of Your App.

    Figure 1. Create a new KeyStore in Android Studio.

  4. On the Generate signed APK Wizard window, select a KeyStore, a private key, and enter the passwords for both. Then click Next.

    Figure 2. Select a private key in Android Studio.

  5. On the next window, select a destination for the signed APK and click Finish.

    Figure 3. Generate a signed APK in Android Studio.

Automatically Signing Your App

In Android Studio, you can configure your project to sign your release APK automatically during the build process:

    1. on the project browser, right click on your app and select Open Module Settings .
    2. on the Project Structure window, select your app s module under Modules .
    3. Click on the Signing tab.
    4. Select Your KeyStore file, enter a name for the signing configuration (as you could create more than one), and enter The required information.

      Figure 4 . Create a signing configuration in Android Studio.

    5. Click on the Build Types tab.
    6. Select The release build.
    7. Under Signing Config , select the Signing configuration you just created.

      Figure 5 . Select a signing configuration in Android Studio.

    8. Click OK .

You can also specify your signing settings in Gradle configuration files. For more information, see Configuring Gradle Builds.

Signing Considerations

You should sign all of your apps with the same certificate throughout the expected lifespan of your applications. There is several reasons why should do:

  • App Upgrade:when The system is installing a update to a app, it compares the certificate (s) in the new version with Tho Se in the existing version. The system allows the update if the certificates match. If you sign the new version with a different certificate, you must assign a different package name to the application-in t His case, the user installs the new version as a completely new application.
  • APP Modularity:android allows apps signed by the same certificate to run in the same process, if the applications so requ ESTs, so and the system treats them as a single application. In this is the can deploy your app in modules, and users can update each of the modules independently.
  • Code/data sharing through Permissions:android provides signature-based permissions enforcement, so this an app can expose Functionality to another app, which is signed with a specified certificate. By signing multiple apps with the same certificate and using signature-based permissions checks, your apps can share code and data in a secure manner.

IF you plan to support upgrades for an app, ensure that your key have a validity period that exceeds the expected lifespan of that app. A validity period of years or more are recommended. When your key ' s validity period expires, users would no longer be able to seamlessly upgrade to new versions of your applic ation.

If you plan to publish your apps on Google Play, the key is the use of sign these apps must has a validity period ending aft ER October 2033. Google Play enforces this requirement to ensure, which users can seamlessly upgrade apps when new versions is available.

Securing Your Private Key

Maintaining the security of your private key is of critical importance, both to the user. If you allow someone to use your key, or if you leave your keystore and passwords in an unsecured location such that a thi Rd-party could find and use them, your authoring identity and the trust of the user is compromised.

If A third party should manage to take your key without your knowledge or permission, that person could sign and distribut E apps that maliciously replace your authentic apps or corrupt them. Such A person could also sign and distribute apps under your identity this attack other apps or the system itself, or Corr UpT or steal user data.

Your private key is required for signing all the future versions of Your app. If you lose or misplace your key, you won't be able to publish updates to your existing APPN. You cannot regenerate a previously generated key.

Your reputation as a developer entity depends on Your securing Your private key properly, @ all times, until the key is E Xpired. Here is some tips for keeping your key secure:

    • Select Strong passwords for the KeyStore and key.
    • Do not give or lend anyone your private key, and does not let unauthorized persons know your keystore and key passwords.
    • Keep the KeyStore file containing your private key in a safe, secure place.

In general, if you follow common-sense precautions when generating, using, and storing your key, it'll remain secure.

Expiry of the Debug Certificate

The self-signed certificate used to sign your application in debug mode have a expiration date of 365 days from its Creati On date. When the certificate expires, you'll get a build error.

To fix this problem, simply delete the debug.keystore file. The default storage location are in on ~/.android/ OS X and Linux, in on C:\Documents and Settings\<user>\.android\ windows XP, and on C:\Users\<user>\.android\ windows Vista and wind OWS 7.

The next time you build, the build tools would regenerate a new keystore and debug key.

Note that, if your development machine was using a Non-gregorian locale, the build tools may erroneously generate an alread Y-expired Debug Certificate, so, get a error when trying to compile your application. For workaround information, see the Troubleshooting topic I can ' t compile my app because the build tools generated an EXPI Red Debug Certificate.

Signing Your App Manually

You don't need Android Studio to the sign your app. You can sign your app from the command line using standard tools from the Android SDK and the JDK. To sign a app in release mode from the command line:

  1. Generate a private key using keytool . For example:

    $ keytool -genkey -v -keystore my-release-key. -alias Alias_name - keyalg RSA -keysize 2048  -validity 10000     

    This example prompts-passwords for the KeyStore and key, and to provide the distinguished Name fields for your key . It then generates the KeyStore as a file called my-release-key.keystore . The keystore contains a single key, valid for 10000 days. The alias is a name, you'll use later when signing your app.

  2. Compile your app in release mode to obtain an unsigned APK.

  3. Sign your app with your private key using Jarsigner :

    $ jarsigner -verbose -sigalg sha1withrsa -digestalg SHA1 
    -keystore my-release-key.. APK alias_name

    This example prompts-passwords for the KeyStore and key. It then modifies the APK in-place to sign it. Note that you can sign a APK multiple times with different keys.

  4. Verify that your APK is signed. For example:

    $ jarsigner - Verify -verbose -certs my_application< Span class= "pun". apk          
  5. Align the final APK package using zipalign .

    -4 your_project_name-unaligned.  APK your_project_name.  APK       

    zipalignEnsures that all uncompressed data starts with a particular byte alignment relative to the start of the file, which reduce s the amount of RAM consumed by an app.

Signing Your Applications (Android signature related)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.