Signing Your Android Applications

Posted on Saturday November 15, 2014 / by Eric Potvin

You do not need any specific tools (like Eclipse or Android Studio) to sign your app. The easiest way to sign your app, is by using the command line tools.

Make sure your application was compiled in release mode before you sign your app.

Generate a private key

Before signing any application, you need to generate your private key. This can be done by using the keytool tool. You only need to create your private key once.

This command will ask for a password. Make sure the password is stored safely.

keytool -genkey -v -keystore my-private-key.keystore -alias my_alias -keyalg RSA -keysize 2048 -validity 10000

This command will create a file called my-private-key.keystore using the name (alias) my_alias. This key is valid for 10,000 days.

The result of this command should output something like this:

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  John Doe
What is the name of your organizational unit?
  [Unknown]:  Technology
What is the name of your organization?
  [Unknown]:  BookOfZeus
What is the name of your City or Locality?
  [Unknown]:  Miami
What is the name of your State or Province?
  [Unknown]:  Florida
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=John Doe, OU=Technology, O=BookOfZeus, L=Miami, ST=Florida, C=US correct?
  [no]:  yes

Generating 2,048 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 10,000 days
	for: CN=John Doe, OU=Technology, O=BookOfZeus, L=Miami, ST=Florida, C=US
Enter key password for 
	(RETURN if same as keystore password):
[Storing my-private-key.keystore]

Signing your app

You will need the jarsigner tool to sign your app. This tool requires the private key created before.

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-private-key.keystore my_application.apk my_alias

This command will ask for the keystore and key passwords.

Verify that your APK is signed

You can verify that your application is properly sign by using this command:

jarsigner -verify -verbose -certs my_application.apk

Align the application

Aligning the application ensures that all uncompressed data starts with a particular byte alignment relative to the start of the file. This reduces the amount of RAM consumed by an app.

zipalign -v 4 my_application-unaligned.apk my_applications.apk