Signing
When you're developing Applications for Android you need to sign them. This must be done with a digital certificate that is owned by you, the
application developer.
Why sign?
There are several reasons for signing your applications; the most important reason is that Android needs to know who made the application and what applications an application can trust. Therefore the application must be signed with "your" private key.
Another reason as of the 1.6 SDK is to align your resources in your application packages. As mention in the previous post about Zipaling, the packages should be aligned after the application is signed.There are a lot of other aspects of signing in Android than one would think.
Application upgrading, Android won't allow application to be upgraded unless signed with same certificate the applications are signed with the same key.
Application modularity, Android allows applications that are signed with the same certificate to run in the same processes. This way you can deploy your application as modules.
Code/data sharing through permissions - the Android system provides a signature-based permissions enforcement, so that an application can expose functionality to another application that is signed with same certificate. So by signing multiple applications with the same certificate and using signature-base permissions
checks, your application can share code and data in a secure manner.
Validity
25 years or more is recommended. After the key's validity is expired, users will no longer be able, seamlessly upgrade to new versions of you application. When choosing the validity of your there are several aspects you should consider. As it must exceed all of the applications, including depending applications (modules) added in the future.
Marked
If you plan to put your applications on the Android Marked your validity period must be after 22. October 2033. This date is enforced by the Android Market Server and is put into place to ensure that users can seamlessly upgrade their applications.
When to sign
When your application is ready to be released to the "market", you should check that it is signed for "release", as the debug keys that are generated by the SDK won't do.
How to sign
There are two ways of signing your applications. Manually and from the build tool that you might be using environment in Android this will be Ant or ADT.
Manual approach:
The manual approach where you use the Keytool and Jarsigner from the command-line. These tools are bundled with the java development kit (JDK). When doing this you first compile your application as an unsigned .apk. After this you must a create keystore/key if you don’t allready has one. You can create the keystore/key by running keytool.
Creating keystore/key with Keytool:
The line below will create a keystore/key which you can use to sign your packages. The keystore file is a password protected file that stores keys and certificates that you use in the signing of you application.
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -validity 10000
When you run keytool with the following parameters you it will ask you about information that it needs to create your keystore.
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Jon Doe
What is the name of your organizational unit?
[Unknown]: R&D
What is the name of your organization?
[Unknown]: Corparation
What is the name of your City or Locality?
[Unknown]: Kongsberg
What is the name of your State or Province?
[Unknown]: Buskerud
What is the two-letter country code for this unit?
[Unknown]: NO
Is CN=Jon Doe, OU=R&D, O=Corparation, L=Kongsberg, ST=Buskerud, C=NO correct?
[no]: yes
Generating 1á024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 10á000 days for: CN=Jon Doe, OU=R&D, O=Corparation, L=Kongsberg, ST=Buskerud, C=NO
Enter key password for alias_name
(RETURN if same as keystore password):
[Storing my-release-key.keystore]
-genkey:tells keytool to create a key pair (public and private)
-v: Enable verbose output.
-keystore: The location of the keystore file, where the information is going to be stored.
-validity: The validity of the key, given in days.
-alias: The alias of your entry inside the keystore file
-keyalg:specifies the algorithm to be used to generate the key pair.
The keystore you just have made, you should put somewhere safe as this will be your identification as an Application developer. If someone gets a hold of your keystore they can sign applications with your identification.
Signing application with Jarsigner:
To sign your application with the key you created with the line above, you can the jarsigner tool.
jarsigner -verbose -keystore my-release-key.keystore my_application.apk alias_name
Enter Passphrase for keystore:
adding: META-INF/ALIAS_NA.SF
adding: META-INF/ALIAS_NA.RSA
signing: res/drawable/icon.png
signing: res/layout/main.xml
signing: res/layout/other.xml
signing: AndroidManifest.xml
signing: resources.arsc
signing: classes.dex
Once your application is signed, don't forget to run zipalign on the APK for additional optimization.
Using ADT
The Android SDK tools have options to assist you in signing your applications when debugging, and when you are ready for a release. Both the Android Development Tool (ADT) plug-in for Eclipse and ANT support debug and release mode signing, not going to go in to ANT signing now.
Debug mode signing
When you are developing and testing, you typically compile in debug mode. In this mode the build tools automatically use the Keytool from the JDK, creates a keystore and a key with a known key and alias. Since the password is known, the tools don't prompt you for the keystore/key password each time you compile. The self-signed certificate that is used to sign your application in default mode, have an expiration date of 365 days after its creation.So after a year you started signing in debug mode you might encounter:
debug:
[echo] Packaging bin/samples-debug.apk, and signing it with a debug key...
[exec] Debug Certificate expired on 8/4/08 3:43 PM
To remedy this you can delete the debug.keystore in the default storage location for AVD.
ADT release signing
Luckily the ADT can do all this for you in the ADT Export Wizard. It can even generate the key for you. And as mentioned in the
previous post it will even do the aligning for you.
Creating a new keystore
The first thing you do is find the Export Signed Application Package wizard.
Then it will ask you which project you want to export.
The next step you will be asked to either use an existing keystore, or you can create a new one, we'll create a new one first.
At this stage you asked to enter an alias and password for this alias and validity for the signing, as well as the First and last name of the signer.
Now you just got to tell it where to export the signed package, and you're done.
Using an already existing keystore
If you already have a keystore that you want to use you select the use existing keystore.
To use the existing keystore you must select its location and enter the password you entered when creating it.
Now you can use the key that you that you defined when creating the key.
And now you're done, all signed up and ready to go.
For more info on the keytool application
here, signing in Android
documentation (recommended)