Develop Reference

How To Sign APK files? [duplicate]

I've decoded an APK with apktool (as the original source code was lost) so I could fix some issues with the layout xml files. I've then rebuilt it back up with apktool and when I tried to install it on my device (using adb: adb install appname.apk) it gave me this error:
[INSTALL_PARSE_FAILED_NO_CERTIFICATES]
the original apk however was signed by a keystore (on eclipse IDE), this one isn't, how can I sign it properly with it's original keystone file outside Eclipse!?

create a key using
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
then sign the apk using :
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name
check here for more info

Automated Process:
Use this tool (uses the new apksigner from Google):
https://github.com/patrickfav/uber-apk-signer
Disclaimer: Im the developer :)
Manual Process:
Step 1: Generate Keystore (only once)
You need to generate a keystore once and use it to sign your unsigned apk.
Use the keytool provided by the JDK found in %JAVA_HOME%/bin/
keytool -genkey -v -keystore my.keystore -keyalg RSA -keysize 2048 -validity 10000 -alias app
Step 2 or 4: Zipalign
zipalign which is a tool provided by the Android SDK found in e.g. %ANDROID_HOME%/sdk/build-tools/24.0.2/ is a mandatory optimization step if you want to upload the apk to the Play Store.
zipalign -p 4 my.apk my-aligned.apk
Note: when using the old jarsigner you need to zipalign AFTER signing. When using the new apksigner method you do it BEFORE signing (confusing, I know). Invoking zipalign before apksigner works fine because apksigner preserves APK alignment and compression (unlike jarsigner).
You can verify the alignment with
zipalign -c 4 my-aligned.apk
Step 3: Sign & Verify
Using build-tools 24.0.2 and older
Use jarsigner which, like the keytool, comes with the JDK distribution found in %JAVA_HOME%/bin/ and use it like so:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my.keystore my-app.apk my_alias_name
and can be verified with
jarsigner -verify -verbose my_application.apk
Using build-tools 24.0.3 and newer
Android 7.0 introduces APK Signature Scheme v2, a new app-signing scheme that offers faster app install times and more protection against unauthorized alterations to APK files (See here and here for more details). Therefore, Google implemented their own apk signer called apksigner (duh!)
The script file can be found in %ANDROID_HOME%/sdk/build-tools/24.0.3/ (the .jar is in the /lib subfolder). Use it like this
apksigner sign --ks-key-alias alias_name --ks my.keystore my-app.apk
and can be verified with
apksigner verify my-app.apk
The official documentation can be found here.

fastest way is by signing with the debug keystore:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore ~/.android/debug.keystore app.apk androiddebugkey -storepass android
or on Windows:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore %USERPROFILE%/.android/debug.keystore test.apk androiddebugkey -storepass android

You use jarsigner to sign APK's. You don't have to sign with the original keystore, just generate a new one. Read up on the details: http://developer.android.com/guide/publishing/app-signing.html

For those of you who don't want to create a bat file to edit for every project, or dont want to remember all the commands associated with the keytools and jarsigner programs and just want to get it done in one process use this program:
http://lukealderton.com/projects/programs/android-apk-signer-aligner.aspx
I built it because I was fed up with the lengthy process of having to type all the file locations every time.
This program can save your configuration so the next time you start it, you just need to hit Generate an it will handle it for you. That's it.
No install required, it's completely portable and saves its configurations in a CSV in the same folder.

Updated answer
Check https://shatter-box.com/knowledgebase/android-apk-signing-tool-apk-signer/
Old answer
check apk-signer a nice way to sign your app

Signing Apk Not Recognized

I'm trying to deploy an android apk created by Cordova but I'm wrong. Here is my process :
1)Build the release apk : cordova build android --release
2)Generate a keystore : keytool -genkey -v -keystore my-release-key.keystore -alias com.MyCompany.AppsName -keyalg RSA -keysize 2048 -validity 10000
I create password named MyPass, and write all information in the form (name, country,...)
3)Signed the Apps : jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore android-release-unsigned.apk com.MyCompany.AppsName
4)Checked for signing : jarsigner -verify -verbose -certs android-release-unsigned.apk
I get this output :
"jar verified.
Warning:
This jar contains entries whose certificate chain is not validated.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2043-12-07) or after any future revocation date."
5)Zip the Apk : "c:\pathtosdk\zipalign.exe" -v 4 android-release-unsigned.apk com.MyCompany.AppsName.apk
6)And then i copy the Apk on a android device.
But when I try to install the Apps, the device ask me to allow unknown sources... like it's not signed.
Is anyone who know where i'm wrong ?
Thanks in advance

Your apk is probably signed and perfectly fine. the reason it asks to allow unknown sources because by default it does not allows to install .apk files from other sources than google play store. Security issues
https://support.google.com/nexus/answer/2812853?hl=en

That's the message you will receive if your not downloading the app from the play store which is true for you case. That doesn't have anything to do with the app being signed.

Try to install a derived a apk. First release your app in Alpha Release of play store. Then download the derived apk from alpha release. I think that will help.

I only have apk file (not source code) how to sign and zip-align it?

I don't have source code only have .apk file and i want to sign and zip-align it to upload on play store.
How i can do this?

From official guide
Signing Your App Manually
You do not need Android Studio to sign your app. You can sign your app from the command line using standard tools from the Android SDK and the JDK. To sign an app in release mode from the command line:
Generate a private key using keytool. For example:
$ keytool -genkey -v -keystore my-release-key.keystore -alias
alias_name -keyalg RSA -keysize 2048 -validity 10000
This example prompts you for passwords for the keystore and key, and to provide the Distinguished Name fields for your key. It then generates the keystore as a file called my-release-key.keystore. The keystore contains a single key, valid for 10000 days. The alias is a name that you will use later when signing your app.
Compile your app in release mode to obtain an unsigned APK.
Sign your app with your private key using jarsigner:
$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name
This example prompts you for passwords for the keystore and key. It then modifies the APK in-place to sign it. Note that you can sign an APK multiple times with different keys.
4. Verify that your APK is signed. For example:
$ jarsigner -verify -verbose -certs my_application.apk
Align the final APK package using zipalign.
$ zipalign -v 4 your_project_name-unaligned.apk your_project_name.apk
zipalign ensures that all uncompressed data starts with a particular byte alignment relative to the start of the file, which reduces the amount of RAM consumed by an app.

How to Sign an Already Compiled Apk

I've decoded an APK with apktool (as the original source code was lost) so I could fix some issues with the layout xml files. I've then rebuilt it back up with apktool and when I tried to install it on my device (using adb: adb install appname.apk) it gave me this error:
[INSTALL_PARSE_FAILED_NO_CERTIFICATES]
the original apk however was signed by a keystore (on eclipse IDE), this one isn't, how can I sign it properly with it's original keystone file outside Eclipse!?

create a key using
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
then sign the apk using :
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name
check here for more info

Automated Process:
Use this tool (uses the new apksigner from Google):
https://github.com/patrickfav/uber-apk-signer
Disclaimer: Im the developer :)
Manual Process:
Step 1: Generate Keystore (only once)
You need to generate a keystore once and use it to sign your unsigned apk.
Use the keytool provided by the JDK found in %JAVA_HOME%/bin/
keytool -genkey -v -keystore my.keystore -keyalg RSA -keysize 2048 -validity 10000 -alias app
Step 2 or 4: Zipalign
zipalign which is a tool provided by the Android SDK found in e.g. %ANDROID_HOME%/sdk/build-tools/24.0.2/ is a mandatory optimization step if you want to upload the apk to the Play Store.
zipalign -p 4 my.apk my-aligned.apk
Note: when using the old jarsigner you need to zipalign AFTER signing. When using the new apksigner method you do it BEFORE signing (confusing, I know). Invoking zipalign before apksigner works fine because apksigner preserves APK alignment and compression (unlike jarsigner).
You can verify the alignment with
zipalign -c 4 my-aligned.apk
Step 3: Sign & Verify
Using build-tools 24.0.2 and older
Use jarsigner which, like the keytool, comes with the JDK distribution found in %JAVA_HOME%/bin/ and use it like so:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my.keystore my-app.apk my_alias_name
and can be verified with
jarsigner -verify -verbose my_application.apk
Using build-tools 24.0.3 and newer
Android 7.0 introduces APK Signature Scheme v2, a new app-signing scheme that offers faster app install times and more protection against unauthorized alterations to APK files (See here and here for more details). Therefore, Google implemented their own apk signer called apksigner (duh!)
The script file can be found in %ANDROID_HOME%/sdk/build-tools/24.0.3/ (the .jar is in the /lib subfolder). Use it like this
apksigner sign --ks-key-alias alias_name --ks my.keystore my-app.apk
and can be verified with
apksigner verify my-app.apk
The official documentation can be found here.

fastest way is by signing with the debug keystore:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore ~/.android/debug.keystore app.apk androiddebugkey -storepass android
or on Windows:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore %USERPROFILE%/.android/debug.keystore test.apk androiddebugkey -storepass android

You use jarsigner to sign APK's. You don't have to sign with the original keystore, just generate a new one. Read up on the details: http://developer.android.com/guide/publishing/app-signing.html

For those of you who don't want to create a bat file to edit for every project, or dont want to remember all the commands associated with the keytools and jarsigner programs and just want to get it done in one process use this program:
http://lukealderton.com/projects/programs/android-apk-signer-aligner.aspx
I built it because I was fed up with the lengthy process of having to type all the file locations every time.
This program can save your configuration so the next time you start it, you just need to hit Generate an it will handle it for you. That's it.
No install required, it's completely portable and saves its configurations in a CSV in the same folder.

Updated answer
Check https://shatter-box.com/knowledgebase/android-apk-signing-tool-apk-signer/
Old answer
check apk-signer a nice way to sign your app

Signing android app manually doesn't work properly

I developed a Android App and could sign it with the Eclipse Plugin, but i wanted to sign it manually with jarsigner and zipalign, so that i can choose the algorithm and the keysize by my self.
I created a Keystore with this command:
keytool -genkey -v -keystore keystore_name -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
My first issue is that i cant enter the Keystore with the Eclipse Plugin. It says:
Keystore was tampered with, or password was incorrect
So i went on with the jarsigner like this:
jarsigner -verbose -keystore keystore_name my_application.apk alias_name
and it works fine.
finally i run the tool zipaling:
zipalign -v 4 inputfile.apk outputfile.apk
I could publish my app in the market without any trouble. But when a friend downloaded my app, he gets the error: Package file was not signed correctly
Furthermore I can't install my app signed manually. But the version, signed with the Eclipse plugin works fine.
The big problem now I have is, that I can't upload the new apk file do the market, because it says that it is signed with an other certificate.
What can I do ?

Not sure if this will help but I came across a similar issue before. After trying a few things I used jarsigner like this and it has been working fine:
jarsigner -verbose -digestalg SHA1 -sigalg MD5withRSA -keystore %path to key store here% -signedjar %the name you want for your signed apk here% %the apk you want to sign here% your.keystore
EDIT:
Just noticed your question was about what to do with the app on the market place. I'm no help there. Sorry.

Verify the keytool you are using:
which keytool
check if it is set to openjdk... Android supports only Sun/Oracle Java as the keytool.