Tuesday, December 13, 2011
How to sign an APK for the Android Market
In order to publish an application at the Android Market, the app must be 'signed' with your own 'certificate'. This tutorial explains how to manually create a certificate and sign the app.
Important: Future updates and fixes to the app must also be signed with the original certificate in order to maintain the identity of the app. Therefore, you must archive the certificate and its passwords in a safe place for the lifetime of the application.
This tutorial was developed using Eclipse 3.6.2 and command-line tools on Ubuntu Linux 10.04. Other platforms are similar.
- Create an Android app using the Eclipse IDE and Android SDK.
- Have command-line tool 'keytool' from the Java JRE in your path.
- Have command-line tool 'jarsigner' from the Java JRE in your path.
- Have command-line tool 'zipalign' from the Android SDK in your path.
- Recommended: Create directories for release artifacts. examples:
Export unsigned APK from Eclipse
From the Package View in Eclipse, right-click the project name-> Android Tools-> Export unsigned application package
Recommended: Specify a filename with 'raw' in the name.
Optional: Make a backup copy.
example: cp myapp.raw.apk myapp.raw.apk.bkp
Note: Multiple certificates may be stored in one container file called a 'keystore database'. This tutorial creates exactly one certificate.
Use the 'keytool' command to create a keystore file containing one certificate.
where myalias is an arbitrary name, and storepass and keypass are passwords you memorize and save.
Enter your information when prompted. examples:
First and Last Name: John Doe
Organizational Unit: Android Mobile Development
Location: San Francisco
Verify a binary file is created, myalias.keystore. Mine was 1400+ bytes.
Apply the certificate to the unsigned APK.
Note: This step modifies the existing APK file.
jarsigner -keystore "/home/sag/android/certificates/myalias.keystore"
Optional: Verify the file is similar in size to the original backup copy.
Align the APK on multiple-byte boundaries for efficiency.
Note: This step creates a new APK file.
zipalign -v 4 myapp.raw.apk myapp.apk
Verify the new aligned APK file is similar in size to the raw APK.
-rw-r--r-- 1 sag sag 64287 2011-12-12 15:36 myapp.raw.apk.bkp
-rw-r--r-- 1 sag sag 66375 2011-12-12 15:39 myapp.raw.apk
-rw-r--r-- 1 sag sag 66382 2011-12-12 15:40 myapp.apk
Et voila. The new file, myapp.apk, is your final APK. It may be published on the Android Market.
To install the final APK on a device, you must manually uninstall the previous version of app. This is required because the previous version was signed by a debug certificate which is built into Eclipse and the Android SDK for our convenience. Also, be sure to tell any beta testers to manually uninstall for the same reason.
As mentioned earlier, you must archive your keystore file (which contains the certificate) and passwords for future use. This is required in order to publish updates to the app. If you lose it and are forced to create a new certificate, the Android Market will treat your updates as a new and different app. Users will not be able to find or install your updates seamlessly. That would be bad. Therefore save your certificate and passwords in multiple places. You've been warned.
It is supposedly possible to sign APKs using a wizard built-into Eclipse. It is probably easier than this. Try it once you understand the manual steps outlined here.