Signing Android applications

In order to install an Android Application onto the emulator or the phone you must first cryptographically sign it. When you do a debug build (using “ant debug”) ant will automatically sign the binary with an auto-generated debug key.

This key is set to expire 365 days after it was auto-generated (the first time you did a debug build). If a debug build fails due to an expired key, you simply need to delete the current debug key and a new one will be auto-generated. To do this, navigate to where the debug key is located and delete it. On Linux and Mac OS X this is ~/.android and the key is the file “debug.keystore”.

Signing your application with a debug key is fine for testing purposes but for release the application should be signed with a unique key that you have generated just for that purpose. If you plan on release the application on the Android Market then the key should also contain correct identifying information (your name or company) and should expire no earlier than October 22, 2033.

To generate a key you need to have the keytool application that come with Java. You need to specify the key-store (the file name), the alias for the key, which algorithm to use (we want RSA) and how long it should be valid for. Let’s create a key stored in the file “release.keystore” with the alias “release” that will be valid for 10,000 days:

niki@redblacktree:~/.android$ keytool -genkey -v -key-store release.keystore -alias release -keyalg RSA -validity 10000

Keytool will then ask you a bunch of questions:

Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Niki Yoshiuchi
What is the name of your organizational unit?
[Unknown]: aplusbi
What is the name of your organization?
[Unknown]: aplusbi
What is the name of your City or Locality?
[Unknown]: New York
What is the name of your State or Province?
[Unknown]: NY
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Niki Yoshiuchi, OU=aplusbi, O=aplusbi, L=New York, ST=NY, C=US correct?
[no]: y

Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 10,000 days
for: CN=Niki Yoshiuchi, OU=aplusbi, O=aplusbi, L=New York, ST=NY, C=US
Enter key password for
(RETURN if same as keystore password):
[Storing release.keystore]

And you’re done! You’ll notice that I ran keytool out of the ~/.android directory so that release.keystore is located in the same place as debug.keystore.

Now onto signing applications. Let’s go back to our Hello Android project and do a release build:

niki@redblacktree:~/projects/android/hello$ ant release

Once this has finished there should be a new apk located in the bin directory called “HelloAndroid-unsigned.apk”. We need to sign it with the key we created earlier using jarsigner:

niki@redblacktree:~/projects/android/hello$ jarsigner -keystore ~/.android/release.keystore HelloAndroid-unsigned.apk release

And now “HelloAndroid-unsigned.apk” has been signed. It can now be installed using adb.

One Response to “Signing Android applications”