Thursday, December 8, 2011

How to Sign APKs/ROM ZIPs

Android Sign
Typically, Android APKs/ZIPs need to be signed, so Android can verify that nobody has modified the code before the apk/zip is installed. When you modify the contents of an apk/zip, you break the signature so you have to resign it. You can either do this with ‘test keys’ or ‘private keys’.
While developing and testing, you should use test keys. This creates a random key based on a known password. Most ROM devs use testkeys as it is much easier, however there are dangers of doing this.
When the apk is ready for release, you should use private keys. This means that nobody else can impersonate your key (unless they know the password), so people can be sure that it’s coming from you and that nobody has modified it. Private keys are much more secure, however it is a bit harder to sign this way.

Sign with Test Keys

This is the easier method by far, and the best way to do it is to grab ZipSigner from the market, then put your apk on your sd card and tap ‘Choose In/Out’ in the app. Then leave ‘Key/Mode’ on auto, and tap ‘Sign the File’. Once this is complete, you should have a signed apk/zip in your SD card.

Sign with Private Keys

If you are using Eclipse with the ADT plugin setup correctly, you can use the Export wizard in Eclipse to create a private key and sign your app.
If you are on Windows download OpenSSL and extract it somewhere on your hard drive like C:\signapk. Linux/unix/Mac users do not need to do this.
- Now download SignAPK and extract it to C:\signapk (or /home/user/signapk for linux)
- Put the apk/zip you want to sign in that folder too
- Now we need to generate some keys:
Windows: Open a command prompt and type:
cd \
cd signapk
Linux/Mac/Unix: Open the Terminal and type

cd ~/signapk
Now type the following:

openssl genrsa -out key.pem 1024
openssl req -new -key key.pem -out request.pem
openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem
openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt
java -jar SignApk.jar certificate.pem key.pk8 Application.apk Application_signed.apk
(Replace italic items with your apk/zip filename)
You can also just run the last command to sign a new apk with your previous key.
Your apk/zip is now signed with your private key and ready to publish! :D

No comments:

Post a Comment

thank you