If we want to publish an Android application we first need to write it.The result of our programming will be an .APK file which is the actual program binary of our application. However, the .APK file our compiler creates can only be used with the emulator on our desktop PC or Mac.One cannot use the same .APK file to install and run a application on the real Android phones available on market.
Why is that? Well, Google wants to protect its phone users from installing and running fraudulent software on their devices. Therefore, each and every application needs to be signed with a valid certificate that ensures where the application comes from. Meaning: the developer signs the application with his/her certificate to make sure it is always traceable where the application comes from. There are a bunch of more reasons to this so lets check out what Google is saying about this topic:
To verify that our .apk is signed, we can use a command like this:
When you use keytool and jarsigner, do not supply the -storepass and -keypass options at the command line.
Why is that? Well, Google wants to protect its phone users from installing and running fraudulent software on their devices. Therefore, each and every application needs to be signed with a valid certificate that ensures where the application comes from. Meaning: the developer signs the application with his/her certificate to make sure it is always traceable where the application comes from. There are a bunch of more reasons to this so lets check out what Google is saying about this topic:
The important points to understand about signing Android applications are:
- All applications must be signed. The system will not install an application that is not signed.
- One can use self-signed certificates to sign their applications. No certificate authority is needed.
- When we are ready to publish your application, we must sign it with a suitable private key. One can not publish an application that is signed with the default key generated by the SDK tools.
- The system tests a signer certificate’s expiration date only at install time. If an application’s signer certificate expires after the application is installed, the application will continue to function normally.
- One can use standard tools — Keytool and Jarsigner — to generate keys and sign the application .apk files.
3 Easy Steps for getting what we need to sign Applications...
- Export unsigned application using Eclipse
To do so we need to right-click package name and select Android Tools -> Export Unsigned Application. Then we should specify path to store our apk. - Generate your own certificate
There is an utility in JDK – keytool.exe.We will use it to generate our own certificate. Command that will generate certificate for us looks like:
keytool –genkey –v –keystore somename.keystore –alias somename –keyalg RSA –validity 10000
We will be prompted for some info in a command line, including password we want to use for our keystore. We have to keep it safe. And we should keep in mind that our certificate should be valid till 22 October 2033. As a result keytool.exe will generate keystore named somename.keystore.We will use it to sign our Android applications. - Sign your application with our own certificate
Now we have our own certificate and Android application which we want to publish on Market. So we need to sign it using jarsigner.exe (it’s also included in JDK). We will use the following command to sign your app:
jarsigner -verbose -keystore somename.keystore PathToYourApp.apk somename
To verify that our .apk is signed, we can use a command like this:
$ jarsigner -verify CoolApp.apk
If the .apk is signed properly, Jarsigner prints “jar verified”. If we want more details, we can try one of these commands:
$ jarsigner -verify -verbose CoolApp.apkor
$ jarsigner -verify -verbose -certs CoolApp.apk
The command above, with the –certs option added, the details of the certificate used to sign the application can be seen.
NOTE:
Select strong passwords for the keystore and key.When you use keytool and jarsigner, do not supply the -storepass and -keypass options at the command line.
No comments:
Post a Comment