1. Why sign
With so many people developing Android, it is entirely possible that everyone has named class names and package names as the same name. How to distinguish them at this time? Signatures play a differentiating role at this time.
Since developers may obfuscate replacing installed programs by using the same Package Name, signatures can be guaranteed to be quite name-wise, but packages with different signatures are not replaced.
If an APK is signed with one key, the file signed by another key at the time of publication will not be installed or overwritten by the old version, which can prevent the application you installed from being overwritten or replaced by a malicious third party.
This signature is actually the developer's identity. When denied in a transaction, such as denied in a transaction, signatures can prevent denied from happening.
2. Precautions for signatures
The Android system requires that all programs be digitally signed before they can be installed. If there is no digital signature available, the system will not be allowed to install and run this program. Whether it's an emulator or a real phone. Therefore, before running the debugger on the device or emulator, the digital signature must be set for the application.
Android signed digital certificates do not require authoritative organizations to authenticate. They are digital certificates generated by the developer themselves, which are the so-called self-signatures. Digital certificates are used to identify the author of the application and to establish a trust relationship between the application, rather than to determine which applications can be installed by the end user.
The system will only test the validity period of the signature certificate during installation. If the application's signature expires after installation, the application can still be enabled normally.
The application's .apk file can be signed using the standard tool - Keytool and Jarsigner - to generate a key.
After signing, you need to use the zipalign optimization program.
In the simulator development environment, programs uploaded through the ADB interface during development will be automatically signed with Debug permissions before being passed to the simulator. The Eclipse menu under Window -> Preferences -> Android -> Build shows our default signature digital certificate for debugging.
When officially publishing an Android application, you must use a digital certificate generated by the appropriate private key to sign the program, and cannot use the debug certificate generated by the ADT plug-in or ANT tool to publish it.
More than once I have used knowledge about Android signatures. Every time I searched and searched on Google almost from scratch. I didn’t want to continue like this. I found a time to sort out some fragmented knowledge I used, so I put it here, one is to make memos and the other is to help others.
Get signature information from APK file
How to use
keytool -list -printcert -jarfile your_apk_file
Output information
Signature Owner, Issuer and other information
Signed fingerprints, such as md5 and sha1 values
Signature validity period and other information
Sample effects
16:29 $ keytool -list -printcert -jarfile akoi_1.
Signer #1:
Signature:
Owner: CN=Andrew Wallace, OU=, O=, L=Beijing, ST=Beijing, C=86 Issuer: CN=Andrew Wallace, OU=, O=, L=Beijing, ST=Beijing, C=86 Serial number: 11a8a4a3 Valid from: Tue Feb 10 18:07:43 CST 2015 until: Sun Jun 13 18:07:43 CST 3013 Certificate fingerprints: MD5: 46:C5:BE:EF:B5:C9:00:E1:FA:42:50:50:57:54:CA:15 SHA1: C1:14:5D:0A:C2:BF:F6:06:43:20:AE:2C:07:12:97:58:C2:1B:39:D1 SHA256: 0E:88:7D:C2:4C:D6:84:A7:58:D4:24:1E:9D:38:F9:05:98:1E:B2:A2:D7:CB:0F:81:74:60:5B:38:89:FF:21:1C Signature algorithm name: SHA256withRSA Version: 3
Get signature information from the signature file
How to use
keytool -list -v -keystore your_kestore_file
Note that after the above command is executed, it will prompt for the password to be entered. In fact, it doesn’t matter if the input error is entered and it will not affect the result.
Output information
Signature Owner, Issuer and other information
Signed fingerprints, such as md5 and sha1 values
Signature validity period and other information
Sample effects
Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: Creation date: Feb 10, 2015 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Andrew Wallace, OU=, O=, L=Beijing, ST=Beijing, C=86 Issuer: CN=Andrew Wallace, OU=, O=, L=Beijing, ST=Beijing, C=86 Serial number: 11a8a4a3 Valid from: Tue Feb 10 18:07:43 CST 2015 until: Sun Jun 13 18:07:43 CST 3013 Certificate fingerprints: MD5: 46:C5:BE:EF:B5:C9:00:E1:FA:42:50:50:57:54:CA:15 SHA1: C1:14:5D:0A:C2:BF:F6:06:43:20:AE:2C:07:12:97:58:C2:1B:39:D1 SHA256: 0E:88:7D:C2:4C:D6:84:A7:58:D4:24:1E:9D:38:F9:05:98:1E:B2:A2:D7:CB:0F:81:74:60:5B:38:89:FF:21:1C Signature algorithm name: SHA256withRSA Version: 3
Re-sign APK
Without source code, we can change the signature of the apk.
script
Alternate address
How to use
bash your_apk_file your_keystore_file keystore_pass keystore_alias
Sample effects
16:57 $ bash ~/Documents/baidu_disk/Baidu Cloud Synchronous Disk/droidapp/mykiki 123456 param1 param2 /Users/androidyue/Documents/droidapp/mykiki param3 123456 param4 deleting: META-INF/ deleting: META-INF/ deleting: META-INF/ adding: META-INF/ adding: META-INF/ adding: META-INF/ ...... Verification succesful
The generated file will be placed in the current directory, and its file name will be added to the input file, and the signed_prefix will be added. For example, the output file obtained by performing the above operations is signed_weixin6313android740.apk
Gradle build generates signature APK
If you want to generate a specified signature apk when executing gradle build, you need to modify it as follows
android {
signingConfigs {
release {
storeFile file("")
storePassword "********"
keyAlias "******"
keyPassword "******"
}
}
buildTypes {
release {
signingConfig
}
}
}
The above is the summary of Android signature knowledge introduced by the editor. I hope it will be helpful to everyone!