Signing for Public Release

Appportunity

Build your own Android App Dev Empire

Get Instant Access

When your application is ready for release to other users, you must:

1. Compile the application in release mode

2. Obtain a suitable private key

3. Sign the application with your private key

The sections below provide information about how to perform these steps.

If you use Eclipse with the ADT plugin, you can instead use the Export Wizard to compile and sign an .apk with your private key. The Export Wizard even allows you to generate a new keystore and private key in the process. Skip to Compiling and signing with Eclipse ADT.

Compiling for release

To prepare your application for release, you must first compile it in release mode. In release mode, the Android build tools compile your application as usual, but without signing it with the debug key.

| Note: You can not release your application unsigned, or signed with the debug key. Eclipse users

To export an unsigned .apk from Eclipse, right-click the project in the Package Explorer and select Android Tools > Export Unsigned Application Package. Then simply specify the file location for the unsigned .apk. (Alternatively, open your AndroidManifest.xml file in Eclipse, open the Overview tab, and click Export an unsigned .apk.)

You can also combine the compiling and signing steps with the Export Wizard. See Compiling and signing with Eclipse ADT.

Ant users

If you are using Ant, all you need to do is specify the build target "release" in the Ant command. For example, if you are running Ant from the directory containing your build.xml file, the command would look like this:

$ ant release The build script compiles the application .apk without signing it. Obtaining a Suitable Private Key

In preparation for signing your application, you must first ensure that you have a suitable private key with which to sign. A suitable private key is one that:

• Is in your possession

• Represents the personal, corporate, or organizational entity to be identified with the application

• Has a validity period that exceeds the expected lifespan of the application or application suite. A validity period of more than 25 years is recommended.

If you plan to publish your application(s) on Android Market, note that a validity period ending after 22 October 2033 is a requirement. You can not upload an application if it is signed with a key whose validity expires before that date.

• Is not the debug key generated by the Android SDK tools.

The key may be self-signed. If you do not have a suitable key, you must generate one using Keytool. Make sure that you have Keytool available, as described in Basic Setup.

To generate a self-signed key with Keytool, use the keytool command and pass any of the options listed below (and any others, as needed).

Note: Before you run Keytool, make sure to read Securing Your Private Key for a discussion of how to keep your key secure and why doing so is critically important to you and to users. In particular, when you are generating your key, you should select strong passwords for both the keystore and key.

Keytool Option

Description

-genkey

Generate a key pair (public and private keys)

-v

Enable verbose output.

keystore <keystore-name>.keystore

A name for the keystore containing the private key.

-storepass <password>

A password for the keystore.

As a security precaution, do not include this option in your command line unless you are working at a secure computer. If not supplied, Keytool prompts you to enter the password. In this way, your password is not stored in your shell history.

-alias <alias name>

An alias for the key.

-keyalg <alg>

The encryption algorithm to use when generating the key. Both DSA and RSA are supported.

-dname <name>

A Distinguished Name that describes who created the key. The value is used as the issuer and subject fields in the self-signed certificate.

Note that you do not need to specify this option in the command line. If not supplied, Jarsigner prompts you to enter each of the Distinguished Name fields (CN, OU, and so on).

-validity <valdays>

The validity period for the key, in days.

Note: A value of 10000 or greater is recommended.

-keypass <password>

The password for the key.

As a security precaution, do not include this option in your command line unless you are working at a secure computer. If not supplied, Keytool prompts you to enter the password. In this way, your password is not stored in your shell history.

Here's an example of a Keytool command that generates a private key:

Here's an example of a Keytool command that generates a private key:

$ keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -validity 10000

Running the example command above, Keytool prompts you to provide passwords for the keystore and key, and to provide the Distinguished Name fields for your key. It then generates the keystore as a file called my-release-key.keystore. The keystore and key are protected by the passwords you entered. The keystore contains a single key, valid for 10000 days. The alias is a name that you — will use later, to refer to this keystore when signing your application.

For more information about Keytool, see the documentation at http://java.sun.com/j2se/1.5.0/docs/tooldocs/#security Signing your application

When you are ready to actually sign your .apk for release, you can do so using the Jarsigner tool. Make sure that you have Jarsigner available on your machine, as described in Basic Setup. Also, make sure that the keystore containing your private key is available.

To sign your application, you run Jarsigner, referencing both the application's .apk and the keystore containing the private key with which to sign the .apk. The table below shows the options you could use.

Jarsigner Option

Description

keystore <keystore-name>.keystore

The name of the keystore containing your private key.

-verbose

Enable verbose output.

-storepass <password>

The password for the keystore.

As a security precaution, do not include this option in your command line unless you are working at a secure computer. If not supplied, Jarsigner prompts you to enter the password. In this way, your password is not stored in your shell history.

-keypass <password>

The password for the private key.

As a security precaution, do not include this option in your command line unless you are working at a secure computer. If not supplied, Jarsigner prompts you to enter the password. In this way, your password is not stored in your shell history.

Here's how you would use Jarsigner to sign an application package called my_application.apk, using the example keystore created above.

$ jarsigner -verbose -keystore my-release-key.keystore my_application.apk alias_name

Running the example command above, Jarsigner prompts you to provide passwords for the keystore and key. It then modifies the .apk in-place, meaning the .apk is now signed. Note that you can sign an .apk multiple times with different keys.

To verify that your .apk is signed, you can use a command like this:

$ jarsigner -verify my_signed.apk

If the .apk is signed properly, Jarsigner prints "jar verified". If you want more details, you can try one of these commands:

$ jarsigner -verify -verbose my_application.apk or

$ jarsigner -verify -verbose -certs my_application.apk

The command above, with the -certs option added, will show you the "CN=" line that describes who created the key.

Note: If you see "CN=Android Debug", this means the .apk was signed with the debug key generated by the Android SDK. If you intend to release your application, you must sign it with your private key instead of the debug key.

For more information about Jarsigner, see the documentation at http://java.sun.com/j2se/1.5.0/docs/tooldocs/#security Compiling and signing with Eclipse ADT

When using Eclipse with ADT, you can use the Export Wizard to export a signed .apk (and even create a new keystore, if necessary). The Export Wizard performs all the interaction with the Keytool and Jarsigner for you, which allows you to perform signing via a graphical interface instead of the command-line. Because the Export Wizard uses both Keytool and Jarsigner, you should ensure that they are accessible on your computer, as described above in the Basic Setup for Signing.

To create a signed .apk, right-click the project in the Package Explorer and select Android Tools > Export Signed Application Package. (Alternatively, open your AndroidManifest.xml file in Eclipse, open the Overview tab, and click Use the Export Wizard.) The window that appears will display any errors found while attempting to export your application. If no errors are found, continue with the Export Wizard, which will guide you through the process of signing your application, including steps for selecting the private key with which to sign the .apk, or creating a new keystore and private key.

When you complete the Export Wizard, you'll have a signed .apk that's ready for distribution.

Was this article helpful?

0 0

Post a comment