Android signature

Overview

In order to ensure security in application distribution, Android offer the possibility of signing applications using a Java certificate so that they can be trusted by mobile handsets.

There are two steps in signing Java applications:

  • Obtain the appropriate cryptographic key/certificate pair for signing
  • Sign the application binaries

The signature is determined by parameters given in the URS file.

Note

The signing process is provided by NeoMAD, but obtaining the certificate from an authorized authority, deciding to sign an application and signing are the distributor’s responsibility.

Generate the private key

The Android system requires that all installed applications be digitally signed. For debug and test, the application is signed with a special debug key that is created by the Android build tools. For release the application must be signed with a user specific private key.

To generate the private key:

  1. Make sure that the Keytool utility and Jarsigner utility are available to the Android SDK build tools
  2. Generate a self-signed key with Keytool, you can for example use this command line: keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000. This will prompts you to provide passwords for the keystore and key and to provide a name for the key. A keystore file named “my-release-key.keystore” will be generated. It will be valid for 10000 days. The alias will be required in the URS file.

Note

To obtain more details about the Android signature policy, refer to the Android documentation.

Sign the application with NeoMAD for publication

Fill the URS tag for signing with all information on the certificate used.

This information must be set in the URS file in a <signature><java> tag as described below:

<signature>
   <java keystore="test.keystore"
       storepassword="test_password"
       keypassword="test_password"
       alias="neomades" />
</signature>

Many certificates can be set with (or without) conditions to activate them. Be careful with the conditions because only one <signature> or <java> tag can be activated at the same time as compiling for a target.

The information for certificates are as follows:

  • “keystore” file: this setting specifies the keystore file that contains the private key used to sign the application binaries and the certificate used to verify the signature
  • “alias”: the Key Alias identifies a particular key in the keystore file
  • “storepassword”: password needed to grant access to retrieve information from the keystore file
  • “keypassword”: password for the particular key alias