{Signing your Android Application}

Generating Your Own Key:

If you wish to publish your application to other users, you are required to sign your application with your own personal certificate. You can generate your own certificate by using the keytool.exe that comes with the JDK/bin folder. In most cases, you can tell the SDK build tools how to find keytool by making sure that your JAVA_HOME environment variable is set and that it references a suitable JDK. Alternatively, you can add the JDK version of Keytool to your PATH variable.

To generate your own certificate, issue the following command:

keytool –genkey –v –keystore sourcebits.keystore –alias CoolApp –keyalg RSA –validity 10000

The above command generates a certificate named sourcebits.keystore with the key alias sourcebits, generated using the RSA algorithm, and with a validity of 10,000 days (this is the minimum recommended).

You will be prompted for some information:

What is your first and last name?

[unknown]: <enter your first and last name>

What is the name of your organizational unit?

[unknown]: <enter your organizational unit>

What is the name of your organization?

[unknown]: <enter the name of your company>

What is the name of your City or Locality?

[unknown]: <enter the name of your city>

What is the name of your State or Province?

[unknown]: <enter the name of your state>

What is the two-letter country code for this unit?

[unknown]: <enter the two digit country code> e.g for USA it is US.

If you are publishing your application for the Android Market, your keystore must have a validity period that ends after 22 October 2033 (which is the reason greater than 10000 days validity is recommended).

Keytool prompts you to provide passwords for the keystore and key. It then generates the keystore as a file called sourcebits.keystore. The keystore and key are protected by the passwords you entered. The keystore contains a single key, valid for 10000 days. The alias is a name that you — will use later, to refer to this keystore when signing your application. Secure and protect these two passwords so that only people who are authorized to sign your applications know about them.

Signing your Android application:

All Android applications must be signed before they are allowed to be deployed onto a device. Android Market Place has made it mandatory to at-least Self-Sign your app before it is accepted. Unlike other mobile platforms, you need not purchase digital certificates from a certificate authority (CA). Instead, you can self-sign (generate your own personal certificate and use it to sign your Android applications).

To sign your application manually:

Have a project that generates your executable with the name you desire for your application.

(PAIN POINT: Your signing may fail otherwise).

Go to Eclipse, right-click on the project ->Android Tools->Export Unsigned Application Package and Select the apk file. You will then be asked to select a directory for exporting the application. For convenience you can export the Android package (with the .apk extension) to JDK/bin.

jarsigner -verbose -keystore sourcebits.keystore CoolApp.apk CoolApp

When prompted for the password for the keystore, use the password that was supplied during the key generation.

To verify that the application is signed correctly, you can use the –verify option with jarsigner.exe.

To verify that your .apk is signed, you can use a command like this:

$ jarsigner -verify CoolApp.apk

If the .apk is signed properly, Jarsigner prints “jar verified”. If you want more details, you can try one of these commands:

$ jarsigner -verify -verbose CoolApp.apk

or

$ jarsigner -verify -verbose -certs CoolApp.apk

The command above, with the –certs option added, the details of the certificate used to sign the application can be seen.

NOTE:

Select strong passwords for the keystore and key.

When you use keytool and jarsigner, do not supply the -storepass and -keypass options at the command line