Quickview

  1. Linux Cli Generate Android App Signing Key Is Best
  2. Linux Cli Generate Android App Signing Key Is Working
  3. Android Studio

When you install Keybase for the first time, you'll be asked to generate a paper key. It's a full-powered key, just like a device key. You can have as many paper keys as you like. You should have at least 1, until Keybase releases a mobile app. Keybase paperkey # make a new paper key keybase device list # see your paper keys. To generate the key, use a KeyPairGenerator with KeyPairGeneratorSpec: /. Generate a new EC key pair entry in the Android Keystore by. using the KeyPairGenerator API. The private key can only be. used for signing or verification and only with SHA-256 or. SHA-512 as the message digest.

  • All Android apps must be signed
  • You can sign with a self-signed key
  • How you sign your apps is critical — read this document carefully
  • Determine your signing strategy early in the development process

In this document

  1. Signing Release Mode

See also

The Android system requires that all installed applications be digitally signed with acertificate whose private key is held by the application's developer. The Android system uses thecertificate as a means of identifying the author of an application and establishing trustrelationships between applications. The certificate is not used to control which applications theuser can install. The certificate does not need to be signed by a certificate authority: it isperfectly allowable, and typical, for Android applications to use self-signed certificates.

The important points to understand about signing Android applications are:

  • All applications must be signed. The system will not install an applicationon an emulator or a device if it is not signed.
  • To test and debug your application, the build tools sign your application with a special debug key that is created by the Android SDK build tools.
  • When you are ready to release your application for end-users, you must sign it with a suitable private key. You cannot publish an application that is signed with the debug key generated by the SDK tools.
  • You can use self-signed certificates to sign your applications. No certificate authority is needed.
  • The system tests a signer certificate's expiration date only at install time. If anapplication's signer certificate expires after the application is installed, the applicationwill continue to function normally.
  • You can use standard tools — Keytool and Jarsigner — to generate keys andsign your application .apk files.
  • After you sign your application for release, we recommend that you use the zipalign tool to optimize the final APK package.

The Android system will not install or run an application that is not signed appropriately. Thisapplies wherever the Android system is run, whether on an actual device or on the emulator.For this reason, you must set up signing for your application before you canrun it or debug it on an emulator or device.

Signing Process

The Android build process signs your application differently depending on which build mode youuse to build your application. There are two build modes: debug mode and releasemode. You use debug mode when you are developing and testing your application. You userelease mode when you want to build a release version of your application that you candistribute directly to users or publish on an application marketplace such as Google Play.

When you build in debug mode the Android SDK build tools use the Keytool utility(included in the JDK) to create a debug key. Because the SDK build tools created the debug key,they know the debug key's alias and password. Each time you compile your application in debug mode,the build tools use the debug key along with the Jarsigner utility (also included in the JDK) tosign your application's .apk file. Because the alias and password are known to the SDKbuild tools, the tools don't need to prompt you for the debug key's alias and password each timeyou compile.

When you build in release mode you use your own private key to sign your application. Ifyou don't have a private key, you can use the Keytool utility to create one for you. When youcompile your application in release mode, the build tools use your private key along with theJarsigner utility to sign your application's .apk file. Because the certificate andprivate key you use are your own, you will have to provide the password for the keystore and keyalias.

Linux Cli Generate Android App Signing Key

The debug signing process happens automatically when you run or debug your application usingEclipse with the ADT plugin. Debug signing also happens automatically when you use the Ant buildscript with the debug option. You can automate the release signing process by using theEclipse Export Wizard or by modifying the Ant build script and building with therelease option.

Signing Strategies

Some aspects of application signing may affect how you approach the developmentof your application, especially if you are planning to release multipleapplications.

In general, the recommended strategy for all developers is to signall of your applications with the same certificate, throughout the expectedlifespan of your applications. There are several reasons why you should do so:

  • Application upgrade – As you release updates to your application, youwill want to continue to sign the updates with the same certificate or set ofcertificates, if you want users to upgrade seamlessly to the new version. Whenthe system is installing an update to an application, it compares thecertificate(s) in the new version with those in the existing version. If thecertificates match exactly, including both the certificate data and order, thenthe system allows the update. If you sign the new version without using matchingcertificates, you will also need to assign a different package name to theapplication — in this case, the user installs the new version as acompletely new application.
  • Application modularity – The Android system allows applications thatare signed by the same certificate to run in the same process, if theapplications so requests, so that the system treats them as a single application.In this way you can deploy your application in modules, and users can updateeach of the modules independently if needed.
  • Code/data sharing through permissions – The Android system providessignature-based permissions enforcement, so that an application can exposefunctionality to another application that is signed with a specifiedcertificate. By signing multiple applications with the same certificate andusing signature-based permissions checks, your applications can share code anddata in a secure manner.

Another important consideration in determining your signing strategy ishow to set the validity period of the key that you will use to sign yourapplications.

  • If you plan to support upgrades for a single application, you should ensurethat your key has a validity period that exceeds the expected lifespan ofthat application. A validity period of 25 years or more is recommended.When your key's validity period expires, users will no longer beable to seamlessly upgrade to new versions of your application.
  • If you will sign multiple distinct applications with the same key,you should ensure that your key's validity period exceeds the expectedlifespan of all versions of all of the applications, includingdependent applications that may be added to the suite in the future.
  • If you plan to publish your application(s) on Google Play, thekey you use to sign the application(s) must have a validity periodending after 22 October 2033. Google Play enforces this requirementto ensure that users can seamlessly upgrade applications whennew versions are available.

As you design your application, keep these points in mind and make sure touse a suitable certificate to sign your applications.

Basic Setup for Signing

Before you begin, make sure that the Keytool utility and Jarsigner utility are available tothe SDK build tools. Both of these tools are available in the JDK. In most cases, you can tellthe SDK build tools how to find these utilities by setting your JAVA_HOME environmentvariable so it references a suitable JDK. Alternatively, you can add the JDK version of Keytool andJarsigner to your PATH variable.

If you are developing on a version of Linux that originally came with GNU Compiler forJava, make sure that the system is using the JDK version of Keytool, rather than the gcjversion. If Keytool is already in your PATH, it might be pointing to a symlink at/usr/bin/keytool. In this case, check the symlink target to be sure it pointsto the Keytool in the JDK.

Signing in Debug Mode

The Android build tools provide a debug signing mode that makes it easier for youto develop and debug your application, while still meeting the Android systemrequirement for signing your APK.When using debug mode to build your app, the SDK tools invoke Keytool to automatically createa debug keystore and key. This debug key is then used to automatically sign the APK, soyou do not need to sign the package with your own key.

The SDK tools create the debug keystore/key with predetermined names/passwords:

  • Keystore name: 'debug.keystore'
  • Keystore password: 'android'
  • Key alias: 'androiddebugkey'
  • Key password: 'android'
  • CN: 'CN=Android Debug,O=Android,C=US'

If necessary, you can change the location/name of the debug keystore/key orsupply a custom debug keystore/key to use. However, any custom debugkeystore/key must use the same keystore/key names and passwords as the defaultdebug key (as described above). (To do so in Eclipse/ADT, go toWindows > Preferences >Android > Build.)

Caution: You cannot release your applicationto the public when signed with the debug certificate.

Eclipse Users

If you are developing in Eclipse/ADT (and have set up Keytool and Jarsigner as described above inBasic Setup for Signing),signing in debug mode is enabled by default. When you run or debug yourapplication, ADT signs the .apk file with the debug certificate, runs zipalign onthe package, then installs it onthe selected emulator or connected device. No specific action on your part is needed,provided ADT has access to Keytool.

Ant Users

If you are using Ant to build your .apk file, debug signing modeis enabled by using the debug option with the ant command(assuming that you are using a build.xml file generated by theandroid tool). When you run ant debug tocompile your app, the build script generates a keystore/key and signs the APK for you.The script then also aligns the APK with the zipalign tool.No other action on your part is needed. ReadBuilding and Running Appson the Command Line for more information.

Expiry of the Debug Certificate

The self-signed certificate used to sign your application in debug mode (the default onEclipse/ADT and Ant builds) will have an expiration date of 365 days from its creation date.

When the certificate expires, you will get a build error. On Ant builds, the errorlooks like this:

In Eclipse/ADT, you will see a similar error in the Android console.

To fix this problem, simply delete the debug.keystore file.The default storage location for AVDs is in ~/.android/ on OS X and Linux,in C:Documents and Settings<user>.android on Windows XP, and inC:Users<user>.android on Windows Vista and Windows 7.

Openssl generate private key pair. The next time you build, the build tools will regenerate a new keystore and debug key.

Note that, if your development machine is using a non-Gregorian locale, the buildtools may erroneously generate an already-expired debug certificate, so that you get anerror when trying to compile your application. For workaround information, see thetroubleshooting topic I can't compile my app because the build tools generated an expired debugcertificate.

Signing in Release Mode

When your application is ready for release to other users, you must:

If you are developing in Eclipse with the ADT plugin, you can use the Export Wizardto perform the compile, sign, and align procedures. The Export Wizard even allows you togenerate a new keystore and private key in the process. So if you use Eclipse, you canskip to Compile and sign with Eclipse ADT.

1. Obtain a suitable private key

In preparation for signing your application, you must first ensure thatyou have a suitable private key with which to sign. A suitable privatekey is one that:

  • Is in your possession
  • Represents the personal, corporate, or organizational entity to be identifiedwith the application
  • Has a validity period that exceeds the expected lifespan of the applicationor application suite. A validity period of more than 25 years is recommended.

    If you plan to publish your application(s) on Google Play, note that avalidity period ending after 22 October 2033 is a requirement. You can not upload anapplication if it is signed with a key whose validity expires before that date.

  • Is not the debug key generated by the Android SDK tools.

The key may be self-signed. If you do not have a suitable key, you mustgenerate one using Keytool. Make sure that you have Keytool available, as describedin Basic Setup.

To generate a self-signed key with Keytool, use the keytoolcommand and pass any of the options listed below (and any others, asneeded).

Warning: Keep your private key secure.Before you run Keytool, make sure to readSecuring Your Private Key for a discussion of how to keepyour key secure and why doing so is critically important to you and to users. Inparticular, when you are generating your key, you should select strong passwordsfor both the keystore and key.

Keytool OptionDescription
-genkeyGenerate a key pair (public and privatekeys)
-vEnable verbose output.
-alias <alias_name>An alias for the key. Onlythe first 8 characters of the alias are used.
-keyalg <alg>The encryption algorithm to usewhen generating the key. Both DSA and RSA are supported.
-keysize <size>The size of each generated key(bits). If not supplied, Keytool uses a default key size of 1024 bits. Ingeneral, we recommend using a key size of 2048 bits or higher.
-dname <name>

A Distinguished Name that describeswho created the key. The value is used as the issuer and subject fields in theself-signed certificate.

Note that you do not need to specify this optionin the command line. If not supplied, Jarsigner prompts you to enter eachof the Distinguished Name fields (CN, OU, and so on).

-keypass <password>

The password for thekey.

As a security precaution, do not include this option in your commandline. If not supplied, Keytool prompts you to enter the password. In this way,your password is not stored in your shell history.

-validity <valdays>

The validity period for thekey, in days.

Note: A value of 10000 or greater is recommended.

-keystore <keystore-name>.keystoreA namefor the keystore containing the private key.
-storepass <password>

A password for thekeystore.

As a security precaution, do not include this option in yourcommand line. If not supplied, Keytool prompts you to enter the password. Inthis way, your password is not stored in your shell history.

Here's an example of a Keytool command that generates a private key:

Running the example command above, Keytool prompts you to providepasswords for the keystore and key, and to provide the DistinguishedName fields for your key. It then generates the keystore as a file calledmy-release-key.keystore. The keystore and key areprotected by the passwords you entered. The keystore containsa single key, valid for 10000 days. The alias is a name that you —will use later, to refer to this keystore when signing your application.

For more information about Keytool, see the documentation athttp://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html

2. Compile the application in release mode

In order to release your application to users, you must compile it in release mode.In release mode, the compiled application is not signed by default and you will needto sign it with your private key.

Caution:You can not release your application unsigned, or signed with the debug key.

With Eclipse

To export an unsigned APK from Eclipse, right-click the project in the PackageExplorer and select Android Tools >Export Unsigned ApplicationPackage. Then specify the file location for the unsigned APK.(Alternatively, open your AndroidManifest.xml file in Eclipse, selectthe Manifest tab, and click Export an unsigned APK.)

Note that you can combine the compiling and signing steps with the Export Wizard. SeeCompiling and signing with Eclipse ADT.

With Ant

If you are using Ant, you can enable release mode by using the release optionwith the ant command. For example, if you are running Ant from thedirectory containing your build.xml file, the command would look like this:

By default, the build script compiles the application APK without signing it. The output filein your project bin/ will be <your_project_name>-unsigned.apk.Because the application APK is still unsigned, you must manually sign it with your privatekey and then align it using zipalign.

However, the Ant build script can also perform the signingand aligning for you, if you have provided the path to your keystore and the name ofyour key alias in the project's ant.properties file. With this information provided,the build script will prompt you for your keystore and alias password when you performant release, it will sign the package and then align it. The final outputfile in bin/ will instead be<your_project_name>-release.apk. With these stepsautomated for you, you're able to skip the manual procedures below (steps 3 and 4).To learn how to specify your keystore and alias in the ant.properties file,see Building and Running Apps on the Command Line.

3. Sign your application with your private key

When you have an application package that is ready to be signed, you can do sign itusing the Jarsigner tool. Make sure that you have Jarsigner available on yourmachine, as described in Basic Setup. Also, make sure thatthe keystore containing your private key is available.

To sign your application, you run Jarsigner, referencing both theapplication's APK and the keystore containing the private key with which tosign the APK. The table below shows the options you could use.

Jarsigner OptionDescription
-keystore <keystore-name>.keystoreThe name ofthe keystore containing your private key.
-verboseEnable verbose output.
-sigalgThe name of the signature algorithim to use in signing the APK.Use the value MD5withRSA.
-digestalgThe message digest algorithim to use in processing the entriesof an APK. Use the value SHA1.
-storepass <password>

The password for thekeystore.

As a security precaution, do not include this optionin your command line unless you are working at a secure computer.If not supplied, Jarsigner prompts you to enter the password. In thisway, your password is not stored in your shell history.

-keypass <password>

The password for the privatekey.

As a security precaution, do not include this optionin your command line unless you are working at a secure computer.If not supplied, Jarsigner prompts you to enter the password. In thisway, your password is not stored in your shell history.

Here's how you would use Jarsigner to sign an application package calledmy_application.apk, using the example keystore created above.

Running the example command above, Jarsigner prompts you to providepasswords for the keystore and key. It then modifies the APKin-place, meaning the APK is now signed. Note that you can sign anAPK multiple times with different keys.

Caution: As of JDK 7, the default signing algorithim haschanged, requiring you to specify the signature and digest algorithims (-sigalg and -digestalg) when you sign an APK.

To verify that your APK is signed, you can use a command like this:

If the APK is signed properly, Jarsigner prints 'jar verified'.If you want more details, you can try one of these commands:

or

The command above, with the -certs option added, will show you the'CN=' line that describes who created the key.

Note: If you see 'CN=Android Debug', this means the APK wassigned with the debug key generated by the Android SDK. If you intend to releaseyour application, you must sign it with your private key instead of the debugkey.

For more information about Jarsigner, see the documentation athttp://docs.oracle.com/javase/6/docs/technotes/tools/windows/jarsigner.html

4. Align the final APK package

Once you have signed the APK with your private key, run zipalign on the file.This tool ensures that all uncompressed data starts with a particular byte alignment,relative to the start of the file. Ensuring alignment at 4-byte boundaries providesa performance optimization when installed on a device. When aligned, the Androidsystem is able to read files with mmap(), even ifthey contain binary data with alignment restrictions, rather than copying allof the data from the package. The benefit is a reduction in the amount ofRAM consumed by the running application.

The zipalign tool is provided with the Android SDK, inside thetools/ directory. To align your signed APK, execute:

The -v flag turns on verbose output (optional). 4 is thebyte-alignment (don't use anything other than 4). The first file argument isyour signed .apk file (the input) and the second file is the destination .apk file(the output). If you're overriding an existing APK, add the -f flag.

Caution: Your input APK must be signed with yourprivate key before you optimize the package with zipalign.If you sign it after using zipalign, it will undo the alignment.

For more information, read about thezipalign tool.

Compile and sign with Eclipse ADT

If you are using Eclipse with the ADT plugin, you can use the Export Wizard toexport a signed APK (and even create a new keystore,if necessary). The Export Wizard performs all the interaction withthe Keytool and Jarsigner for you, which allows you to sign the package using a GUIinstead of performing the manual procedures to compile, sign,and align, as discussed above. Once the wizard has compiled and signed your package,it will also perfom package alignment with zipalign.Because the Export Wizard uses both Keytool and Jarsigner, you shouldensure that they are accessible on your computer, as described abovein the Basic Setup for Signing.

To create a signed and aligned APK in Eclipse:

  1. Select the project in the PackageExplorer and select File > Export.
  2. Open the Android folder, select Export Android Application, and click Next.

    The Export Android Application wizard now starts, which will guide you through the process of signing your application, including steps for selecting the private key with which to sign the APK (or creating a new keystore and private key).

  3. Complete the Export Wizard and your application will be compiled, signed, aligned, and ready for distribution.

Securing Your Private Key

Maintaining the security of your private key is of critical importance, bothto you and to the user. If you allow someone to use your key, or if you leaveyour keystore and passwords in an unsecured location such that a third-partycould find and use them, your authoring identity and the trust of the userare compromised.

If a third party should manage to take your key without your knowledge orpermission, that person could sign and distribute applications that maliciouslyreplace your authentic applications or corrupt them. Such a person could alsosign and distribute applications under your identity that attack otherapplications or the system itself, or corrupt or steal user data.

Your reputation as a developer entity depends on your securing your privatekey properly, at all times, until the key is expired. Here are some tips forkeeping your key secure:

  • Select strong passwords for the keystore and key.
  • When you generate your key with Keytool, do not supply the-storepass and -keypass options at the command line.If you do so, your passwords will be available in your shell history,which any user on your computer could access.
  • Similarly, when signing your applications with Jarsigner,do not supply the -storepass and -keypassoptions at the command line.
  • Do not give or lend anyone your private key, and do not let unauthorizedpersons know your keystore and key passwords.

In general, if you follow common-sense precautions when generating, using,and storing your key, it will remain secure.

By krish ghatul

Steps to create a signed release android apk with Apache Cordova.

To upload an app to the Google Play Store, you need to sign it first. We are going to learn about how to sign android apk with Cordova environment. I assumed you have Cordova, android environment available on your machine and you already added an android platform for your project.

Method 1:-

#1. Create keystore file to sign apk.

Go to the root path of your project and run below command.

Above command create keystore file at root level i.e appreleasedemo.keystore (the binary file which can hold a set of a key). validity flag is used to set the expiration of your signature.(You can change keystore file name and alias name)

#2. Create properties file.

Create file having file extension *.properties at a root level. ~release-signing.propertiesAdd these attributes to release-signing.properties file.

Here-

storeFile: Path to a binary file which can hold a set of keys

storeType: extensionEither pkcs12 or jks

keyAlias: The id specifying the private key used for signing

storePassword: Password to the keystore

keyPassword: Password for the private key specified

Linux cli generate android app signing keyboard

storePassword and keyPassword are optional.

#3. Move above two files to (1.appreleasedemo.keystore 2.release-signing.properties) location ~/platforms/android

#4. Set version release and version code and package name.

Open root config.xml file from root level and edit widget tag having below attributes:-

Linux Cli Generate Android App Signing Key Is Best

  1. android-versionCode='50'
  2. id='com.demo.apprelease'
  3. version='0.2.3'

id - is a package name of our app. If keystore file changed then need to change package name also because apk with existing package name with new signing key not accepted by google play console.

android-versionCode -

Not shown to users. Used for internal calculation(google play store) to protect against downgrades by android system. Used to calculate one version is more recent than another. A higher number means recent version. You cannot upload an APK to the Play Store with previous version code.

Version -

Used as shown to users. Version format <major>.<minor>.<point>string.

#5.Build android release

Release apk created on path ~/platforms/android/build/outputs/apk/android-release.apk

#6. Upload to Google play store console.

Linux Cli Generate Android App Signing Key Is Working

Sign up for a Google Play Developer account select option edit release and choose apk file to upload.

Method 2:-

If, you don't want to use *.properties file then use below command to create release apk.

I think method 1 is better than below command. In this method you need to mention keystore path, passwords etc. in command each time. *.properties file is maintainable in compare to below command.

Method 3:-

Alternatively, Instead of *.properties file, you could use build.json file. Specify all configuration in JSON format. Use the --buildConfig flag to the same commands.

Create build.json file:

Android Studio