Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>You need to provide location and filename for your new keystore file in case you are creating a new one. Alternatively, you could choose "use existing keystore" and browse to existing keystore file location.<br></p> <p><strong>Edit</strong>: I thought I would provide elaborate answer. Hope this info would be useful.</p> <h2>What is signature and why it is needed.</h2> <p>The apk signature mechanism used by android is an example <a href="http://en.wikipedia.org/wiki/Digital_signature#Uses_of_digital_signatures" rel="nofollow noreferrer">usage of digital signature</a> applied to bytecode and resources of the application to ensure :</p> <ul> <li>integrity (no tampering with your app after downloading) </li> <li>authenticity - You are the one who released the app to GooglePlay</li> </ul> <p>To better understand <a href="http://en.wikipedia.org/wiki/Digital_signature" rel="nofollow noreferrer">digital signature</a> I suggest you also skim through <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" rel="nofollow noreferrer">public-key cryptography</a>.</p> <h2>How does that work.</h2> <p>Android uses same standard JDK tools used for signature/verification of standard java apps:</p> <ul> <li><a href="http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html" rel="nofollow noreferrer">jarsigner</a> - signs data with provided <code>private key</code>, and verifies data with <a href="http://en.wikipedia.org/wiki/Public_key_certificate" rel="nofollow noreferrer">certificate</a> (i.e. public key bound to your identity)</li> <li><a href="http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html" rel="nofollow noreferrer">keytool</a> - manages private keys and certificates in your <code>keystore</code>. Those keys are needed for <code>jarsigner</code>.</li> </ul> <p>After you sign your application manually with <code>jarsigner</code> or export signed application using your IDE (which uses <code>keytool</code> and <code>jarsigner</code> under the hood anyway), you can then locate signature-related files placed in <code>META-INF</code> directory of your signed .apk archive :</p> <ul> <li>CERT.SF - file containing <code>SHA</code> hashes of your app components and</li> <li>CERT.RSA (or .DSA) - digital signature of above mentioned file + public certificate to verify this signature. You can read more details about how singing works <a href="http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html#SignedJAR" rel="nofollow noreferrer">here</a>.</li> </ul> <h2>How to properly sign application for release.</h2> <p><a href="http://developer.android.com/tools/publishing/app-signing.html#releasemode" rel="nofollow noreferrer">This article</a> very well describes steps you need to follow.</p> <p><strong>Note</strong>: Please consider important pre-release steps before you proceed with signing : logs/ critical string literals removal, obfuscation with <a href="http://developer.android.com/tools/help/proguard.html" rel="nofollow noreferrer">proguard</a>, etc.</p> <p>Below I will provide some key points for the process :<br></p> <h3>Generate your private key and put it in java <code>keystore</code>.</h3> <p>This may require creating <code>keystore</code> first if you don't have one. When creating <code>keystore</code> you need to create <code>Keystore password</code>, that is used to ensure integrity of <code>keystore</code> data (i.e. you will be warned that your keystore is tampered with after someone - not you -has added new certificate to it). Practically, this password is not super crucial if you keep your <code>keystore</code> file safe. You can get away if you forget it some day.<br></p> <p>When generating <code>private key</code>, you will be also asked to create <code>PrivateKey password</code> that will be used to encrypt your private key inside the keystore. <strong>This is the very important password you need to keep</strong> as it ensures </p> <ul> <li>your <em>private</em> key is really <em>private</em>. and most importantly </li> <li>without this password you won't be able to use you private key to sign and release future updates for your application;<br></li> </ul> <p>When you generate your new private key in Eclipse, you will also be asked to provide identity information that is used to create your self-signed certificate.</p> <p>As the next step your <code>private key</code> from specified <code>keystore</code> file will be used to sign the application and your <code>.apk</code> will be updated with signature-related files explained above.</p> <h2>Some important terminology :</h2> <p><strong>Keystore</strong> is simply a single binary file keeping list of your private keys / certificates in a specific format. It is programmatically accessible using API provided by <a href="http://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.html" rel="nofollow noreferrer">KeyStore.java</a>. Your keystore can contain multiple private key entries, each identified by its <code>alias</code>. <br> In majority of cases your <code>keystore</code> will have single private key with single self-signed certificate matching this private key.</p> <p><strong>Keystore password</strong> is used for integrity check of the keystore content.<br/> If you loose this password, but you still have password for private key stored inside, you can "clone" your keystore and provide new keystore password by running the following cmd:<br></p> <blockquote> <p>keytool -importkeystore -srckeystore path/to/keystore/with/forgotten/pw -destkeystore path/to/my/new/keystore</p> </blockquote> <p>provide new password, and leave old keystore password blank - you will only get warning. You can then use your new keystore and get rid of old one.<br> There are other ways you can retrieve your private key without using keystore password.</p> <p><strong>Private key password</strong> - protects(by encrypting) <code>private key</code> inside <code>keystore</code>. It is extremely important as it allows you to access your private key to, among other things, sign updates for your application. It is generally very hard to recover it.</p> <p><strong>Self-signed ceritificate</strong> - very simple certificate binding your identity(name/organization/email) to your public key. This certificate is added to <code>.apk</code> file during signing operation and will be used on user's device to verify <code>.apk</code> before installation.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload