There are several points to understand the Android application signature:
All applications must be signed. The system will not install any unsigned programs.
You can sign with your own certificate. No authorization center is required.
When you want to publish an application for end users, you must check in the appropriate key. DebugKey checked in by SDK tools cannot be used when publishing programs.
The system only checks the validity of the certificate when installing the application. If the certificate of the application is invalid after installation, the application can still work normally.
You can use standard tools-Keytool and Jarsigner-to generate keys and sign apk files.
Once you sign the application, be sure to use zipalign tool to optimize the final APK package.
Android will not install and run applications that are not signed correctly. This rule applies to any place running Android system, whether it is a real machine or an emulator. It is for this reason that you must sign the program before running/debugging it on the simulator or real machine.
When you debug an application, the AndroidSDK tool will sign the application for you. Eclipse's ADT plug-in and Ant compiler provide two signature modes-debugging mode and publishing mode.
Debugging mode can be used in development and testing. In debug mode, the compiler uses the Keytool tool embedded in JDK to create keystores and keys (including recognizable names and passwords). Use this DebugKey to sign the apk file at each compilation. Because the password is recognizable, you don't need to be prompted to enter the keystore and key password every time you compile.
When your program is ready to be published, you must sign the apk file with a key in publishing mode. There are two ways to do this:
1.Keytool and Jarsigner are used on the command line. In this method, you need to compile an unsigned apk first. Then use Jarsigner (or similar tool) to sign apk manually with your key. If you don't have the correct key, you can run Keytool to manually generate your own keystore/key.
2. use ADT export wizard. If you use Eclipse/ADT plug-ins, you can use the export wizard to compile programs, generate keys (if necessary) and sign apk, all of which are in the export wizard. Once your program is signed, don't forget to run zipalign to further optimize apk.
Signature strategy
Some aspects of application signature may affect application development, especially if you plan to publish multiple applications together. In general, the recommended policy is that all programs sign the same certificate throughout the application life cycle.
You should do this for several reasons:
Application upgrade-When you upgrade your application, you need to sign the same certificate if you want users to upgrade smoothly. When the system installs the upgrade application, if the new version of the certificate matches the old version, the system will allow the upgrade. If you don't sign the proper certificate for the version, you need to give it a new package name when installing the application-in this case, the new version installed by the user is regarded as a brand new application.
Modularization of applications-Android allows applications with the same certificate to run in the same process if requested by applications, so that the system can treat them as a single application. By configuring the application in this way, the user can choose to update each independent module.
* * * Access to code/data-Android system provides signature-based access check, so if specific certificates are signed between applications, they can * * * enjoy functions. By signing the same certificate by multiple programs and using signature-based permission check, your program can * * * use code and data in a secure way. Another important factor that determines the signature strategy is how to set the validity period of the key.
If you plan to support the upgrade of a single application, you need to ensure that the expiration date of your key exceeds the expected application life cycle. It is recommended to use a validity period of 25 years or more. When your key expires, users cannot successfully update to the new version.
If you want to sign the same key for multiple unrelated applications, you must ensure that the validity period of the key exceeds the life cycle of all versions of all applications, including those that may join this camp in the future.
If you want to publish your program on the Internet, the key must be valid after 2033+00.22. The market server enforces this requirement, at present, in order to ensure that users can update the program smoothly.
When you design an application, you must remember these points and sign the application with an appropriate certificate.
Basic settings of signature
Before you begin, you must make sure that Keytool is available to the SDK compiler. In most cases, you can tell the SDK compiler how to find Keytool by setting the JAVA_HOME environment variable. In addition, you can add the PATH of Keytool in JDK to the path variable.
If you develop on Linux and compile Java with GNU compiler, make sure that the system uses JDK's Keytool instead of gcj. If Keytool is already in your path, it may be a symbolic link to /usr/bin/keytool. In this case, check the target of the symbolic link to ensure that it points to the Keytool in the JDK. If you plan to release your application to the public, you also need the Jarsigner tool. Jarsigner and Keytool are both included in JDK.
Signature in debug mode
Android compiler tool provides debugging signature mode, which makes application development and debugging easier, and also meets the signature requirements of Android system. When compiling the application in debugging mode, SDK tool will call Keytool tool to automatically create debugging keystore and key. Then, this Debugkey will be automatically used for apk signature, so that you don't need to use your own key to sign the application package.
The SDK tool uses a predefined name/password to create a/key:
Name of keystore: "debug.keysotre"
Keystore password: "android"
Key alias: ""
Key password: "Android"
CN:“CN =,O=Android,C=US”
If necessary, you can change the location and name of /key, or provide a custom /key. However, any custom /key must use the same name and password as the default Debugkey (as described above). (in Eclipse/ADT, operate windows >;; Preferences & gtAndroid & gt build implementation. )
Note: Applications with debugging certificates cannot be released to the public.
Eclipse users
If you are developing under Eclipse/ADT (and you have configured Keytool according to the "Basic Settings of Signature" described above), then by default, in debug mode, the signature is turned on. When you run or debug an application, ADT will sign it with a debugging certificate, run zipalign, and then install it on the selected emulator or connected device. There is no need to participate in the whole process, provided that ADT can access Keytool.
Ant user
If you use ant to compile apk files, you need to add Debug option to the Ant command to turn on debugging signature mode (assuming you are using the build.xml file generated by android tools). When you run antdebug to compile your program, the compilation script will generate a keystore/key and sign the apk. The script will then use the zipalign tool to align the apk. You don't need to be involved all the time. For more information, please read "Developing in Other IDE: Debugging Mode Compilation".
Debugging certificate has expired.
The certificate used for signing in debugging mode (compiled by Eclipse/ADT and Ant by default) will be invalid after 1 year from the date of creation.
When the certificate expires, you will get a compilation error. In Ant compilation, the error is as follows:
Debugging:
[echo]/samples-debug.apk, ...
4: 43 p.m.
In Eclipse/ADT, you will see similar errors on the Android console.
To solve this problem, just delete the debug.keystore file. The default storage location of AVD is: ~/. Android/avd(OSX and Linux), C:\. Android(WindowsXP) and C:Users\. Android ().
On the next compilation, the compiler will regenerate the new keystore and debugging key.
Signature in publishing mode
When your program can be distributed to other users, you must:
1. Take a suitable key.
2. Compile the program in release mode
3. Use key signing program
4. align APK software package
If you are developing with Eclipse/ADT plug-in, you can use the export wizard to complete compilation, signing and alignment. During the whole process, the export wizard can even generate new keystores and keys. Therefore, if you use Eclipse, you can skip to "Compiling and signing with EclipseADT".
Get a proper key In order to sign a program, first of all, you must have a proper key. The key point is:
Personal property.
Represents the identity of an individual, company or organizational entity.
There is an expiration date. The validity period is recommended to exceed 25 years.
If you publish your program online, it should be noted that the validity period of the program needs to be after 2033.8+00.22. You cannot upload the application, and its key is valid before this date.
Debugkey is not generated by AndroidSDK tool.
If there is no suitable key, you must use Keytool to generate one. Make sure that Keytool is available, as described in Basic Settings.
To generate a key using Keytool, use the keytool command and pass in some optional parameters, as shown in the following table.
Warning: Ensure the security of the key. Be sure to read "Store Your Key Safely" to discuss how to ensure the security of your key and why it is so important to you and users. In particular, when you generate keys, be sure to use strong passwords for keystores and keys.