Signing release Android applications

Now we can create a cross-platform application, debug it on a PC, and deploy it to Android devices. We cannot, however, upload it on Google Play because it is not (yet) signed properly with the release key.

Getting ready

A detailed explanation of the signing procedure on Android is given in the developer manual at http://developer.android.com/tools/publishing/app-signing.html. We will focus on the signing from the command line and automating the entire process via batch files.

How to do it...

First of all, we need to rebuild the project and create a release version of the .apk package. Let's do it with our App2 project:

>ndk-build -B
>ant release

You should see a lot of text output from Ant, which ends with something like the following command:

-release-nosign:
[echo] No key.store and key.alias properties found in build.properties.
[echo] Please sign App2\bin\App2-release-unsigned.apk manually
[echo] and run zipalign from the Android SDK tools.

Let us generate a self-signed release key using keytool from the JDK through the following command:

>keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

Fill out all the fields necessary for the key, as in the following command:

Enter keystore password:
Re-enter new password:
What is your first and last name?
 [Unknown]: Sergey Kosarevsky
What is the name of your organizational unit?
 [Unknown]: SD
What is the name of your organization?
 [Unknown]: Linderdaum
What is the name of your City or Locality?
 [Unknown]: St.Petersburg
What is the name of your State or Province?
 [Unknown]: Kolpino
What is the two-letter country code for this unit?
 [Unknown]: RU
Is CN=Sergey Kosarevsky, OU=SD, O=Linderdaum, L=St.Petersburg, ST=Kolpino, C=RU correct?
 [no]: yes

Generating 2048 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 10000 days
 for: CN=Sergey Kosarevsky, OU=SD, O=Linderdaum, L=St.Petersburg, ST=Kolpino, C=RU
Enter key password for <alias_name>
 (RETURN if same as keystore password):
[Storing my-release-key.keystore]

Now we are ready to proceed with the actual application signing. Use the jarsigner tool from the JDK through the following code:

>jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore my-release-key.keystore bin\App2-release-unsigned.apk alias_name

This command is interactive, and it will require the user to enter the keystore password and the key password. However, we can provide passwords in a batch file in the following way:

>jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore my-release-key.keystore -storepass 123456 –keypass 123456 bin\App2-release-unsigned.apk alias_name

Passwords should match what you entered while creating your release key and keystore.

There is one more step left before we can safely publish our .apk package on Google Play. Android applications can access uncompressed content within .apk using mmap() calls. Yet, mmap() may imply some alignment restrictions on the underlying data. We need to align all uncompressed data within .apk on 4-byte boundaries. Android SDK has the zipalign tool to do it, as seen in the following command:

>zipalign -v 4 bin\App2-release-unsigned.apk App2-release.apk

Now our .apk is ready to be published.

See also