Can someone please explain the difference between:
signed apk
unsigned apk
apk in debug mode
apk in release mode
Although its clear that signed apk is the one you generate apk with your own certificate and the unsigned one without without certificate.
Especially what are the apk in debug mode and apk in release mode really mean?
How are these two related with signed apk and unsigned apk?
Edited: Also is there any more types of apk apart from this?
I have already read the docs at http://developer.android.com/tools/publishing/app-signing.html
It only explains about the Signing in Debug Mode and Signing in Release Mode, but they didn't mention anything about the apk in debug mode and apk in release mode.
The same way you can have documents signed with a digital key to prove their origin and ownership and websites have a certificate for that, you can do the same thing with APKs by signing them using the tools provided by the SDK.
Unsigned vs Signed APK:
One has been signed and the other has not. Just like that. Think of GPGed emails or Websites with the Green thingy on the address bar for signed APKs and plain emails or websites with no ssl for unsigned APKs.
Before we talk about debug mode and release mode, I'll give a very brief explanation on signing, actually talk about authority-certified signing and self-signing.
When you go to a SSL protected website you might see either a warning message or a red X by the url, depending on the browser, warning you that the certificate can't be trusted. Normally that means the website is using a self-signed certificate. What that means is that you can't really tell who made the certificate and no one can really say it's secure for real or that it comes from where it says it does.
On the other hand, the Authority-certified signed certificates, they have someone(a company) which is known and (is supposed to) guarantees the quality of the certificate and that who's using is who it should be.
Now back to APKs:
When you're just testing your app, when you want test it, you don't really need a proper certificate as you're the one installing the app on your device and you know (at least you should) the app you're making is not supposed to cause any problems.
On the other hand, when you put them in the Android market, it is important to know that the app people are downloading are really yours, so that's when you're gonna use a properly signed certificate. The one you can't lose and blah blah blah.
This brings us to Debug mode and Release mode.
They are just build/deploy environment/settings to help you be more productive.
When you select debug mode, the apk will(might?) contain a lot more debug info (and for that be bigger) and will normally be signed with your self-signed certificate (the debug key) which is (most normally) automatically generated.
when you select release mode it (should) strip useless debug information reducing the size of your app and will properly sign your APK with a certified key which is necessary to release apps in the market.
Hope this helps and if you need more clarifications ask in the comments
From Android docs:
You can sign an app in debug or release mode. You sign your app in debug mode during development and in release mode when you are ready to distribute your app. The Android SDK generates a certificate to sign apps in debug mode. To sign apps in release mode, you need to generate your own certificate.
That is, when you are going to distribute your app, you sign your app in release mode with your own keystore file. Signing in debug mode is generally done automatically by your IDE.
You can build unsigned only via command line as far as i know.
Here is how to do it Build unsigned APK
Here is an extract from the link for you.
Build unsigned
If you build your application unsigned, then you will need to manually sign and align the package.
To build an unsigned .apk in release mode, open a command-line and navigate to the root of your module directory. Invoke the assembleRelease build task.
On Windows platforms, type this command:
gradlew.bat assembleRelease
On Mac OS and Linux platforms, type this command:
$ ./gradlew assembleRelease
This creates your Android application .apk file inside the project bin/ directory, named -unsigned.apk.
Note: The .apk file is unsigned at this point and can't be installed until signed with your private key.
Once you have created the unsigned .apk, your next step is to sign the .apk with your private key and then align it with zipalign. To complete this procedure, read Signing Your Applications.
When your .apk has been signed and aligned, it's ready to be distributed to end-users. You should test the final build on different devices or AVDs to ensure that it runs properly on different platforms.
To install any apk to any device they must be signed, unsigned apks can only be tested in the emulator. while signing you can do it in a couple of ways this is a extract from developer.android.com
http://developer.android.com/tools/publishing/app-signing.html
Signing Overview
You can sign an app in debug or release mode. You sign your app in debug mode during development and in release mode when you are ready to distribute your app. The Android SDK generates a certificate to sign apps in debug mode. To sign apps in release mode, you need to generate your own certificate.
Signing in Debug Mode
In debug mode, you sign your app with a debug certificate generated by the Android SDK tools. This certificate has a private key with a known password, so you can run and debug your app without typing the password every time you make a change to your project.
Android Studio signs your app in debug mode automatically when you run or debug your project from the IDE.
You can run and debug an app signed in debug mode on the emulator and on devices connected to your development manchine through USB, but you cannot distribute an app signed in debug mode.
By default, the debug configuration uses a debug keystore, with a known password and a default key with a known password. The debug keystore is located in $HOME/.android/debug.keystore, and is created if not present. The debug build type is set to use this debug SigningConfig automatically.
Related
I got the SHA1 using this:
How to get the SHA-1 fingerprint certificate in Android Studio for debug mode?
and then I did a setup for google play service and everything works fine.
When I run the app from my android studio but when I go to the other pc and tries to run the app its says "failed to sign in". So my question is how can I work in two different workstation and have the same signed app? I also tried to sign the app with the Build > Build signed APK and it didn't work.
When you running the app in debug mode via Android Studio, the apk is signed with the debug key. For each computer, the debug key is different. The debug key is placed in $HOME/.android/debug.keystore. So you need to use the same debug key by copying the key to another computer.
To build an apk with signed key, you need to generate your key first. Please see in Sign your release build.
Please ensure you are using the same key to sign the APK. Transfer the KeyStore (.jks) file to the new computer you'd like to sign the app on. Be sure to enter the correct password which you assigned when creating the KeyStore as well. For more information, see the docs.
I am attempting to deploy my first app to the Google Play Store. Each time I upload the APK file, I get the following message:
"Upload failed You uploaded a debuggable APK. For security reasons you
need to disable debugging before it can be published in Google Play.
Learn more about debuggable APKs."
I am building a release version of my code. I upload the release version of my APK file from:
\Projects\MyAppNameHere\Android\Release\MyAppNameHere\bin\MyAppNameHere.apk
In my Projects Debugging options, it is set to "No Debug information"
I have also modified the AndroidManifest file to say:
android:debuggable="False"
However, the Google Play Store keeps giving me the same message that i need to upload a non-debuggable version.
What Am I doing wrong? I should note, every time I build a new release version of the APK file, the AndroidManifest file reverses back to
android:debuggable="True"
There are two types of certificates for signing your app:
Debug certificate: to connect a debugger to your application, to be able to access your apps's private data directory
Release certificate: to upload your app to an application store (like Google Play)
Delphi puts a debug certificate for you on your PC so you can start developing & debug your apps.
It even uses this certificate if you compile with a release profile when you forgot to create your own certificate.
So make sure that
Your build configuration is set to "release"
Your Target Plattform configuration is "Application-Store"
You have provided an own certificate for this configuration in Project -> Options -> Deployment (make sure your profile is Release Configuration - Android Platform)
If you do not have a release certificate you can create a new certificate within a key store through the options dialog. Remember to always use the same release certificate for your app, and to store your key store in a secure place that no other person has access to it. Once you lost that certificate, you will not be able to publish updates of your app anymore!
If you like to install your release app on a device that already has installed a debug version of your app, you have to uninstall it first.
If you like to verify what certificate an .apk is signed with you can use the command
jarsigner -verify -verbose -certs %file_name%
I have a certificate that is signing my app when I say File -> Export. When I install the apk that way, it works. However, when I just run my app off eclipse while my phone is plugged in, it does not. So obviously it is being signed with another certificate.
How can I get eclipse to sign the apk with the same certificate that is used when exporting the apk?
This person has the exact same problem as me, but no answer either...
You are right, it's signed with other certificate, it's using ~/.android/debug.keystore. I don't know much about eclipse but in Android-Studio with new build system (gradle) its very easy to switch between signing certificates within different variants of an app (e.g. debug/relese even with combinations like free/premium). I don't know if it will work, maybe just replace in your users directory debug.keystore with your own?
I've develop an app (thesis) to be used by 10 people (geologists). My question is, do i need to sign my app in release mode or just give them the apk file from bin through flash drive?
An android phone will refuse to install an apk that is not signed at all, so the question is really between signing with a debug certificate vs. signing with a release one.
While you can distribute a debug signed apk outside of a marketplace, debug certificates tend to have short validity periods on the order of a year. This will, at minimum, cause problems with providing upgrades in the future, as after the certificate expires you would have to create a new one, and changing the certificate would require wiping out the private data of the old version on each phone.
(According to the docs, an already-installed app will continue to work after its certificate expires, but there could still be problems if a user gets a new device, etc)
There is also a security concern, in that (except on the version where it was broken) the run-as debug tool allows anyone with adb to execute programs as the userid of a debug-cerficate app. This would expose all the private data in the app, much like running on a rooted phone potentially does.
For these reasons, as well as general "that's not what it is for!" distribution channels tend to refuse to accept debug-signed apk's.
According to android developer guide you application must digitally signed to install or run Android system. This may help you in signing the apk.
You can distribute your APK after signing with debug certificate if you are not going to upload it on Google Play and only looking for testing purpose or distribute to client for just testing purpose.
APK won't install/update once your debug certificate expire and debug certificate validity is almost one year.
Upon installation, the Android SDK generates a “debug” signing certificate for you in a keystore called debug.keystore. A debug certificate is only valid for 365 days.
If you are looking to release updates it is good if you sign your application with own release certificate and in this you can set your expire validity.
I have a programm with an auto-updater and till now I deployed programm versions generated by the eclipse "Run" and "Debug" commands for my beta testers. (poor decision - as I know now)
Now I want do deploy versions that have been created by the "Export" command, but without the need for my testers to uninstall the app priror to installing the new version. To achieve this I would need to sign the apks created by the "Export" command with the key that is used for the automatic debug builds.
Is this possible? - If yes: how would i do that and where can I find the key that is used for this automatic builds?
best regards
You can find the automatic debug key from ~/.android/debug.keystore . If you are using eclipse you can set the path to a custom keystore (if you are so inclined) from Windows->preference-> Android->Build. But the disadvantage of using the debug key is that 1)it is valid for 365 days only. 2) You can't publish your app to play store. and others which I can't recall.
http://developer.android.com/tools/publishing/app-signing.html has all he details about signing your app.