Saturday, September 24, 2011

keystore password android



The Android system requires that all installed applications be digitally signed
 with a certificate whose private key is held by the application's developer.
 The Android system uses the certificate as a means of identifying the author 
of an application and establishing trust relationships between applications. 
The certificate is not used to control which applications the user can install.
 The certificate does not need to be signed by a certificate authority: it is
 perfectly allowable, and typical, for Android applications to use self-signed
 certificates.

The important points to understand about signing Android applications are:

    * All applications must be signed. The system will not install an 
application that is not signed.
    * You can use self-signed certificates to sign your applications. 
No certificate authority is needed.
    * When you are ready to release your application for end-users,
 you must sign it with a suitable private key. You can not publish 
an application that is signed with the debug key generated by the SDK tools.
    * The system tests a signer certificate's expiration date only at install time
. If an application's signer certificate expires after the application is
 installed, the application will continue to function normally.

    * You can use standard tools — Keytool and Jarsigner — to generate keys and 
sign your application .apk files.
    * Once you have signed the application, use the zipalign tool to optimize
 the final APK package.

The Android system will not install or run an application that is not signed
 appropriately. This applies wherever the Android system is run, whether on an
 actual device or on the emulator. For this reason, you must set up signing for
 your application before you will be able to run or debug it on an emulator or
 device.

The Android SDK tools assist you in signing your applications when debugging.
 Both the ADT Plugin for Eclipse and the Ant build tool offer two signing modes
 — debug mode and release mode.

    * While developing and testing, you can compile in debug mode.
 In debug mode, the build tools use the Keytool utility, included in the JDK,
 to create a keystore and key with a known alias and password. 
At each compilation, the tools then use the debug key to sign the application
 .apk file. Because the password is known, the tools don't need to prompt you 
for the keystore/key password each time you compile.
    * When your application is ready for release, you must compile in release 
mode and then sign the .apk with your private key. There are two ways to do this:
          o Using Keytool and Jarsigner in the command-line. In this approach,
 you first compile your application to an unsigned .apk. You must then sign the
 .apk manually with your private key using Jarsigner (or similar tool). 
If you do not have a suitable private key already, you can run Keytool manually
 to generate your own keystore/key and then sign your application with Jarsigner.

          o Using the ADT Export Wizard. If you are developing in Eclipse with
 the ADT plugin, you can use the Export Wizard to compile the application,
 generate a private key (if necessary), and sign the .apk, all in a single
 process using the Export Wizard.

Once your application is signed, don't forget to run zipalign on the APK
 for additional optimization.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.