Wednesday, 2 October 2013

Signing your android applications

                            Signing Your Android Applications

Following are the generic steps to create signed applications.

Tools/Binaries Required:
1. keytool
2. jarsigner
3. zipalign

Usually keytool and jarsigner will be avialable in /usr/lib/jvm/java/jdk1.6.0_33/bin and zipalign will be available in SDK of tools directory. Add all these binaries into your enavirnmenatal variables.
Ex: export PATH=/usr/lib/jvm/java/jdk1.6.0_33/bin:$PATH
or
Add above paths into /etc/environment file so no need to do everytime.

Signing of Android will be 2 types.
1. Signing in Debug Mode
2. Signing in Release Mode

sign your apk with platform key for using shared system id

you can find the key in your AOSP code.
normally you can find here AOSP_HOME/build/target/product/security
r
1. Signing in Debug Mode: The Android build tools provide a debug signing mode that makes it easier for you to develop and debug your application.

$cd $ANDROID_HOME/build/target/product/security/

$openssl pkcs8 -inform DER -nocrypt -in platform.pk8 -out platform.pem

$openssl pkcs12 -export -in platform.x509.pem -inkey platform.pem -out platform.p12 -password pass:android -name androiddebugkey

$/usr/lib/jvm/java/jdk1.6.0_33/bin/keytool -importkeystore -deststorepass android -destkeystore platform.jks -srcstoretype PKCS12 -srcstorepass android -srckeystore platform.p12


copy platform.jks to your key dir.

and open eclipse -> window -> preferences -> Android -> build


then your application is signed with platform key and system user id application can be ran.

remember, your Androidmanifest.xml need "android:sharedUserId="android.uid.system"

Eclipse Users

If you are developing in Eclipse/ADT (and have set up Keytool and Jarsigner as described above, signing in debug mode is enabled by default. When you run or debug your application, ADT signs the.apk file with the debug certificate, runs zipalign on the package, then installs it on the selected emulator or connected device. No specific action on your part is needed, provided ADT has access to Keytool.

Signing in Release Mode

When your application is ready for release to other users, you must:


  • Obtain a suitable private key
  • Compile the application in release mode
  • Sign your application with private key
  • Align the final APK Package


1. Obtain a suitable private key
example of a Keytool command that generates a private key and follow the:

$ keytool -genkey -v -keystore prakash.keystore -alias kothnanmaklu -keyalg RSA -keysize 2048 -validity 10000

It will look like below steps

Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: prakash
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=prakash, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Generating 2,048 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 10,000 days
for: CN=prakash, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Enter key password for <kothnanmaklu>
(RETURN if same as keystore password):
Re-enter new password:
[Storing prakash.keystore] (This will be stored in wherever you specified.

Keytool option usage:

-genkey: Generate a key pair (public and private keys)
-v :verbose
-keystore: A name for the keystore containing the private key.
-alias :An alias for the key. Only the first 8 characters of the alias are used.
-keyalg :The encryption algorithm to use when generating the key. Both DSA and RSA are supported.
-keysize :The size of each generated key (bits). If not supplied, Keytool uses a default key size of 1024 bits. In general, we recommend using a key size of 2048 bits or higher.
-validity :The validity period for the key, in days.
Note:A value of 10000 or greater is recommended.


2. Compile the application in release mode


In order to release your application to users, you must compile it in release mode. In release mode, the compiled application is not signed by default and you will need to sign it with your private key.

With Eclipse

To export an unsigned APK from Eclipse, right-click the project in the Package Explorer and select Android Tools>Export Unsigned Application Package. Then specify the file location for the unsigned APK. (Alternatively, open yourAndroidManifest.xml file in Eclipse, select the Manifest tab, and click Export an unsigned APK.)

3. Sign your application with your private key

$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore prakash.keystore MediaPlayer.apk kothnanmaklu

It will ask for Keystore password.
Enter Passphrase for keystore:

Output will look like this.
adding: META-INF/MANIFEST.MF
adding: META-INF/TRUEINDI.SF
Enter key password for trueindian:
adding: META-INF/TRUEINDI.RSA
signing: res/anim/slide_in.xml
signing: res/anim/slide_out.xml
signing: res/drawable/back.xml
signing: res/drawable/back_black.xml
signing: res/drawable/back_not_round.xml
signing: res/drawable/background.xml
signing: res/drawable/background2.xml
signing: res/drawable/bakground_list.xml
signing: res/drawable/blue_grad_bg_26.png
signing: res/drawable/button_col.xml
signing: res/drawable/ch_backgd1.xml
signing: res/drawable/ch_backgd2.xml
signing: res/drawable/customshape.xml
signing: res/drawable/dback.xml
signing: res/drawable/goto_text.xml
signing: res/drawable/grey_bak_ground.xml
signing: res/drawable/icon_favorites.png
signing: res/drawable/icon_tv_guide.png
signing: res/drawable/panel.xml
signing: res/drawable/rect1.xml
signing: res/drawable/rect2.xml
signing: res/drawable/red_grad_bg_26.png
signing: res/drawable/rem_col.xml
signing: res/drawable/rounded_black.xml
signing: res/drawable/rounded_blue_corner.xml
signing: res/drawable/rounded_red.xml
signing: res/drawable/trans_border.xml
signing: res/layout/activity_main.xml
signing: res/layout/chan_ban.xml
signing: res/layout/chan_ban_rowlayout.xml
signing: res/layout/fav_main.xml
signing: res/layout/go_to_fav.xml
signing: res/layout/goto_rowlayout.xml
signing: res/layout/home.xml
signing: res/layout/info.xml
signing: res/layout/madil.xml
signing: res/layout/main.xml
signing: res/layout/media.xml
signing: res/layout/options_activity_main.xml
signing: res/layout/options_newpage1.xml
signing: res/layout/options_rowlayout.xml
signing: res/layout/rem_col.xml
signing: res/layout/rempop.xml
signing: res/layout/rowlayout.xml
signing: res/layout/setrem.xml
signing: res/layout/settings.xml
signing: res/layout/settings_rowlayout.xml
signing: res/layout/showrem.xml
signing: res/layout/tvguide.xml
signing: res/menu/main.xml
signing: res/raw/h264.mp4
signing: AndroidManifest.xml
signing: resources.arsc
signing: res/drawable-hdpi/app_favorites.png
signing: res/drawable-hdpi/app_home.png
signing: res/drawable-hdpi/app_settings.png
signing: res/drawable-hdpi/app_tv_guide.png
signing: res/drawable-hdpi/arrow_blue_up.png
signing: res/drawable-hdpi/arrow_grey_down.png
signing: res/drawable-hdpi/grey.png
signing: res/drawable-hdpi/grey_grad_bg_27.png
signing: res/drawable-hdpi/ic_launcher.png
signing: res/drawable-hdpi/icon_settings.png
signing: res/drawable-hdpi/intv_logo.png
signing: res/drawable-hdpi/launcher.png
signing: res/drawable-hdpi/pause.png
signing: res/drawable-hdpi/red_grad_bg_26.png
signing: res/drawable-hdpi/resize.png
signing: res/drawable-hdpi/screen_shot.png
signing: res/drawable-hdpi/stop.png
signing: res/drawable-ldpi/app_settings.png
signing: res/drawable-ldpi/ic_launcher.png
signing: res/drawable-ldpi/pause.png
signing: res/drawable-mdpi/ic_launcher.png
signing: res/drawable-xhdpi/ic_launcher.png
signing: classes.dex


To verify that your APK is signed, you can use a command like this:
 jarsigner -verify -verbose MediaPlayer.apk
you will see in last line like
jar varified.

4. Align the final APK package

This tool ensures that all uncompressed data starts with a particular byte alignment, relative to the start of the file. Ensuring alignment at 4-byte boundaries provides a performance optimization when installed on a device. When aligned, the Android system is able to read files with mmap(), even if they contain binary data with alignment restrictions, rather than copying all of the data from the package.
zipalign -v 4 MediaPlayer.apk IPTV_MediaPlayer.apk