Page 1 of 2So you've written, tested and debugged your killer Android app and now want to share it with the world! Your project creates the file to install - the APK Android installable one - but that's not the full story. You can't distribute it unless its been signed, a security measure enforced on anyone distributing Android apps. The good news is it's nothing like as difficult as in the bad old days of J2ME, where you had to worry about the different levels of security, obtain certificates from third parties then send your app off for resigning every build. In this tutorial we show you how to do that yourself as well as give you a little present: an all-in-1 tool to automate it all!
Make yourself a certificate
The purpose of signing your app is to stamp it for evermore with your own digital fingerprint. The mechanism for doing this has been present in java from the start - Android just leveraged this battle-hardened system already accepted by the industry.
The process is pretty straightforward. You generate your digital fingerprint, called a self-signed certificate, and use that to brand your app inside its apk file. When you create the certificate, you supply a password known only to you. Then, each time you sign your app with it, you are asked to supply the password. This prevents anyone who happens to get hold of your certificate from using it without authorisation.
Generating this key is as easy as using this comand, assuming java is installed correctly:
keytool -genkey -v -keystore foo.keystore -alias foo -keyalg RSA -validity 10000
You should subsitite "foo" with your own shortname. When you run this, you are also asked a series of questions regarding your organisation and location:
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Mike Android
What is the name of your organizational unit?
[Unknown]: Software Development Dept.
What is the name of your organization?
[Unknown]: Android Academy
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is CN=Mike Android, OU=Software Development Dept., O=Android Academy, L=Droidville,
ST=Droidshire, C=UK correct?
Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with
a validity of 10,000 days
for: CN=Mike Android, OU=Software Development Dept., O=Android Academy,
L=Droidville, ST=Droidshire, C=UK
Enter key password for
(RETURN if same as keystore password):
And hey presto - "foo.keystore" appears, signed using our details and password. Keep this safe, and don't reval your password to anyone! You don't need to go through this again unless your details change: foo.keystore is used now each time any new apps need signing.
The signing process
Lets assume your build process (e.g. Eclipse) puts the unsigned apk file in your projects /bin folder, which it does by default. To sign it, you need to run another java comand which uses your keystore. This process might end up being repeated many times as the development cycle plays out, so a good tip is to set up a repeatable process for it. Create a new /tools folder, and copy your keystore into it. Its also cleaner to have the process create a new file in a dedicated location each time, that way you cannot confuse the signed and unsigned versions - a real danger as both files have the same .apk extension. Create a new folder under the project called /release. You can be confident now that the only files which will appear there are the ones for release, i.e. the signed one. Try the following from the /tools folder, changing App.apk to the name of your app:
jarsigner -keystore foo.keystore -signedjar ..\release\App.apk ..\bin\App.apk foo
You'll be asked for your keystore password - enter it and you should see the signed version of your app in the /release folder.