I have a quite normal app for Android which requires no permission at all. I wanted to upload the APK to the Google Play Developer Console.
In Android Studio, I pressed Build --> Generate Signed APK... --> I filled in the correct passwords --> Next --> Build Type debug --> Signature Versions only V2 (Full APK Signature) --> Finish.
My loggs tell me: APK's generated succesfully.
I go to the Google Play Developer Console --> Release management --> App-releases --> Edit bèta release --> Upload APK.
When I upload the APK that's just created I get the following error from Google:
Upload failed. You have uploaded an unsigned APK. You must create a
signed APK.
This is very irritating, because it happens always when I try to upload an APK, which is signed according to me. I tried several ways. What have I done wrong?
You need to choose Build type Release and check both signature versions V1 and V2.
Signature Versions
Android 7.0 introduces APK Signature Scheme v2, a new app-signing
scheme that offers faster app install times and more protection
against unauthorized alterations to APK files. By default, Android
Studio 2.2 and the Android Plugin for Gradle 2.2 sign your app using
both APK Signature Scheme v2 and the traditional signing scheme, which
uses JAR signing.
Signature V2 is optional, but signature V1 is mandatory for distribution on Google Play.
Related
I want to upload an app to the Google Developer Console, but when I upload the app, it gives the following error:
You uploaded an APK with an invalid signature (learn more about signing). Error from apksigner: ERROR: MIN_SIG_SCHEME_FOR_TARGET_SDK_NOT_MET: Target SDK version 30 requires a minimum of signature scheme v2; the APK is not signed with this or a later signature scheme
See the screenshot I uploaded here.
How can I solve this problem?
Make sure you are building the 'release' variant, after signing it with an upload key. Also, I would recommend you sign in for Google App Signing, which will certainly solve these issues and keep your signing key secure as well. The schema problems will be taken care of by Google itself then. There is an option in the console to opt-in to Play Signing
In the Generate Signed Bundle or APK dialog, after you select the jks key stroke path, you should see a page with 2 options
Build Variants: debug or release
Signature Versions: V1 (Jar Signature) and/or V2 (Full APK signature)
You should make sure V2 is checked when build.
I want to release a new application. And I have created a keystore specifically for that application. When on the Google console I accidentally clicked on enabling Google Play App Signing. My APK upload failed because it did not match the application signer. I have long lost the application keystore before. How can I release a new application with a new keystore? Explanation from Google makes me even more confused, can I give me the order that I have to do.
My error on console looks like this:
And the upload certificate section is written like this:
Your application does not have an upload certificate. The certificate
you use to sign the first APK will be used as an upload certificate.
While generating signed APK, Just check on Both signatures version i.e
I want confirmation that I have found the answer, via this link
[Android Signed APK showing as Unsigned APK when trying to upload to production
I have to check both options when generating a signed APK.
There are three choices available to us:
select V1 (For older version of signing) - apk gets uploaded
successfully
select V2 (For newer version of signing) - Please note that selecting
this alone will not work.
select V1 and V2 (For older and newer version) - apk gets uploaded
successfully
Why selecting V2 alone does not work ?
Because APK Signature Scheme v2 was introduced in Android 7.0
(Nougat). To make a APK installable on Android 6.0 (Marshmallow) and
older devices, the APK should be signed using JAR signing before being
signed with the v2 scheme.
thank you for participating in helping find answers
Please select at least one of the signature versions to use in Android Studio 2.3
Now while generating a signed APK in Android Studio, it's showing two options (CheckBox) namely 1. V1 (Jar Signature) and 2. V2 (Full APK Signature) as Signature Versions in the last step of signed APK generating process.
So, what is the difference between V1 (Jar Signature) and V2 (Full APK Signature) in the new Android Studio update?
And which should I use (or both) for signing apk for play store release?
Also, I'm getting error Install Parse Failed No Certificates while installing APK when I use the second option.
It is a new signing mechanism introduced in Android 7.0, with additional features designed to make the APK signature more secure.
It is not mandatory. You should check BOTH of those checkboxes if possible, but if the new V2 signing mechanism gives you problems, you can omit it.
So you can just leave V2 unchecked if you encounter problems, but should have it checked if possible.
UPDATED: This is now mandatory when targeting Android 11.
Should I use(or both) for signing apk for play store release?
An answer is YES.
As per https://source.android.com/security/apksigning/v2.html#verification
:
In Android 7.0, APKs can be verified according to the APK Signature Scheme v2 (v2 scheme) or JAR signing (v1 scheme). Older platforms ignore v2 signatures and only verify v1 signatures.
I tried to generate build with checking V2(Full Apk Signature) option. Then when I tried to install a release build in below 7.0 device and I am unable to install build in the device.
After that I tried to build by checking both version checkbox and generate release build. Then able to install build.
It is written here that "By default, Android Studio 2.2 and the Android Plugin for Gradle 2.2 sign your app using both APK Signature Scheme v2 and the traditional signing scheme, which uses JAR signing."
As it seems that these new checkboxes appeared with Android 2.3, I understand that my previous versions of Android Studio (at least the 2.2) did sign with both signatures. So, to continue as I did before, I think that it is better to check both checkboxes.
EDIT March 31st, 2017 : submitted several apps with both signatures => no problem :)
According to this link: signature help
APK Signature Scheme v2 offers:
Faster app install times
More protection against unauthorized alterations to APK files.
Android 7.0 introduces APK Signature Scheme v2, a new app-signing
scheme that offers faster app install times and more protection
against unauthorized alterations to APK files. By default, Android
Studio 2.2 and the Android Plugin for Gradle 2.2 sign your app using
both APK Signature Scheme v2 and the traditional signing scheme, which
uses JAR signing.
It is recommended to use APK Signature Scheme v2 but is not mandatory.
Although we recommend applying APK Signature Scheme v2 to your app,
this new scheme is not mandatory. If your app doesn't build properly
when using APK Signature Scheme v2, you can disable the new scheme.
I think this represents a good answer.
APK Signature Scheme v2 verification
Locate the APK Signing Block and verify that:
Two size fields of APK Signing Block contain the same value.
ZIP Central Directory is immediately followed by ZIP End of Central Directory record.
ZIP End of Central Directory is not followed by more data.
Locate the first APK Signature Scheme v2 Block inside the APK Signing Block. If the v2 Block if present, proceed to step 3. Otherwise, fall back to verifying the APK using v1 scheme.
For each signer in the APK Signature Scheme v2 Block:
Choose the strongest supported signature algorithm ID from signatures. The strength ordering is up to each implementation/platform version.
Verify the corresponding signature from signatures against signed data using public key. (It is now safe to parse signed data.)
Verify that the ordered list of signature algorithm IDs in digests and signatures is identical. (This is to prevent signature stripping/addition.)
Compute the digest of APK contents using the same digest algorithm as the digest algorithm used by the signature algorithm.
Verify that the computed digest is identical to the corresponding digest from digests.
Verify that SubjectPublicKeyInfo of the first certificate of certificates is identical to public key.
Verification succeeds if at least one signer was found and step 3 succeeded for each found signer.
Note: APK must not be verified using the v1 scheme if a failure occurs in step 3 or 4.
JAR-signed APK verification (v1 scheme)
The JAR-signed APK is a standard signed JAR, which must contain exactly the entries listed in META-INF/MANIFEST.MF and where all entries must be signed by the same set of signers. Its integrity is verified as follows:
Each signer is represented by a META-INF/<signer>.SF and META-INF/<signer>.(RSA|DSA|EC) JAR entry.
<signer>.(RSA|DSA|EC) is a PKCS #7 CMS ContentInfo with SignedData structure whose signature is verified over the <signer>.SF file.
<signer>.SF file contains a whole-file digest of the META-INF/MANIFEST.MF and digests of each section of META-INF/MANIFEST.MF. The whole-file digest of the MANIFEST.MF is verified. If that fails, the digest of each MANIFEST.MF section is verified instead.
META-INF/MANIFEST.MF contains, for each integrity-protected JAR entry, a correspondingly named section containing the digest of the entry’s uncompressed contents. All these digests are verified.
APK verification fails if the APK contains JAR entries which are not listed in the MANIFEST.MF and are not part of JAR signature.
The protection chain is thus <signer>.(RSA|DSA|EC) → <signer>.SF → MANIFEST.MF → contents of each integrity-protected JAR entry.
I made an app and I published it on the PlayStore.
I made an update and now I'm trying to re-import it into the Android publish web site.
I generated my app like this : (with Android Studio)
Build
Generate Signed APK...
I choosed my app
Click "next"
And I used the same key, same password etc ...
The apk is succefully generated (and signed).
But when I tried to upload the app on the publish website (to update the app online) it tells me:
You have imported an APK file without a signature. You must create an APK file with a signature.
Have you got an idea why it's crashing?
It's contradincting, Android studio tells me that the signed app is generated but the website tells me it's not a signed app.
EDIT :
I tryed to "Build -> Clean Project" and "File -> Invalidate Caches / Restart..." without success. I also tryed to make a new project, copy past all code and retry :/
I assume that you're creating your keystore correctly and none of the solutions in AMAN SINGH's answer worked for you.
There's a new signing scheme in Android called Apk Signing Scheme v2.
https://source.android.com/security/apksigning/v2
When you're signing your apk there're two checkboxes.
v1 (jar signing)
v2 (apk signing)
v1 signature is required, if the APK's minSdkVersion is 23 and lower. Android versions before Android Nougat (API Level 24) ignore v2 signatures so apks which don't have a valid v1 signature will be rejected by Play Store.
In Android 7.0, APKs can be verified according to the APK Signature
Scheme v2 (v2 scheme) or JAR signing (v1 scheme). Older platforms
ignore v2 signatures and only verify v1 signatures.
Edit:
Thanks Alex Klyubin for information.
I don't understand the language in which the image is there but if you already uploaded your APK once then,
*) You need to use same signed keystore signature which you used first time at generating signed APK.
*) Check your Manifest.xml, android:debuggable="true" if this is there remove this line or make debuggable="false"
*) check `versionCode' should be greater than last uploaded
*) Check versionName should be greater than last uploaded
*) Tick Mark in both the column while building the Signed APK
I signed my APK in Android Studio 2.3 (build->generate signed APK). When I'm trying to upload it to Google Play store it is showing the error that I've uploaded unsigned APK. Could anyone answer why it is happening and how to solve it?
It uploaded successfully when I checked V1 (Jar Signature) instead of V2 (Full APK Signature) while generating the signed APK in Android Studio 2.3
Android 7.0 introduces APK Signature Scheme v2, a new app-signing scheme that offers faster app install times and more protection against unauthorized alterations to APK files.
While generating signed apk there are two checkbox .
V1 (Jar Signature)
V2 (Full apk Signature)
There are three choices available to us:
select V1 (For older version of signing) - apk gets uploaded successfully
select V2 (For newer version of signing) - Please note that selecting this alone will not work.
select V1 and V2 (For older and newer version) - apk gets uploaded successfully
Why selecting V2 alone does not work ?
Because APK Signature Scheme v2 was introduced in Android 7.0 (Nougat). To make a APK installable on Android 6.0 (Marshmallow) and older devices, the APK should be signed using JAR signing before being signed with the v2 scheme.
For more information jump here
Signed for Both v1 and v2. It will upload Successfully.
This is because you are using only v2 signature while taking release build.
So what is v1 and v2 mentioned?
v1 is the default signing mechanism and v2 is the newest mechanism added, which verifies much faster. This means v2-signed APKs install/update a bit faster on Android Nougat (Android 7.0, API Level 24) and newer.
So what should you do?
If you want to sign app without any changes
Check v1 (jar Signature only) which is the default.
If you want the newest signature and support for 7.x versions
Check v2 (Full Apk Signature) Which also reduces app size.
If you want app to be smaller, able to install faster and compatible with all Android versions.
Check both v1 and v2.
PS: Only applicable for signing apps with Studio, other than using pipes to build.
For more refereces Link
How To sign APK using V2
https://developer.android.com/studio/command-line/apksigner.html
Step 1) Android Studio, select View > Tool Windows > Terminal
gradlew assembleRelease
2) Align the unsigned APK using zipalign:
zipalign -v -p 4 my-app-unsigned.apk my-app-unsigned-aligned.apk
3) Sign your APK with your private key using apksigner:
apksigner sign --ks my-release-key.jks my-app-unsigned-aligned.apk --out my-app-release.apk
Note: To use the apksigner tool, you must have revision 24.0.3 or higher of the Android SDK Build Tools installed. You can update this package using the SDK Manager.
4) Verify that your APK is signed:
apksigner verify my-app-release.apk
Note: step 2 to 4 Perform in Command Prompt G:\AndroidStudio\Sdk\build-tools\25.0.0\
If you reach this, use Android Studio 3.3 and the error keeps coming up no matter you check the Signature checkboxes or not, try to manually delete the app/build folder.
Source: https://stackoverflow.com/a/54213942/787511
It is a problem from Google and it is issued two days ago in this page
As per the attached screenshot, Select both V1(Jar Signature) and V2(Full APK Signature). It will work.