Application Signing

All APKS must be digitally signed with a certificate to be installed. There are two schemes.

V1 Jar Signing Scheme

All files signed with a common certificate
Not all of the file is signed
Lots of untrusted data structures must be processed and then discarded if not covered by signatures
Larger attack surface

APK Signature Scheme

Whole file is signed
APK signing block is inserted into APK before the Zip Central Directory

Generating a certificate

Keytool is located in Android Studio/JRE/Bin

keytool -genkey -v keystore key.keystore -alias aliasname -keyalg RSA -keysize 2048 -validity 73000 -storepass password

Signing an Application

APKSigner included in Android SDK build-tools directory
JarSigner in AndroidStudio/JRE/Bin

apksigner sign -out app.apk -ks keystore.jks unsigned.apk

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore keystore app.apk alias

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Application Signing

V1 Jar Signing Scheme

APK Signature Scheme

Generating a certificate

Signing an Application

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally