Wednesday, April 10, 2013

Android Tip: Signing your App

Once you have developed your Android app, the next step would be to export your application as an Android Package (APK). When you run your application on an Android Emulator or a real device connected to your computer, your application is code-signed using a debug certificate called debug.keystore. Apps that are signed using this debug.keystore can only be run on the emulator as well as on real devices (deployed through Eclipse). When you you are ready to release your app to the world, you need to sign it using your own certificate (or a cert issued by Google).

Very often, developers forgot to sign the app and went ahead to distribute the apps. What will happen it that when the user tries to install the unsigned APK, they will get the "App not installed" error. Obviously this error message is not very useful as it does not tell you much of the source of the problem. 

As a developer, you can perform the following steps to further examine the source of the problem. Fire up your Command window (or Terminal for Mac users). Issue the following command:

jarsigner -verify -verbose -certs name_of_APK.apk 

If the application is not signed, you will see something like:

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

no manifest.
jar is unsigned. (signatures missing or not parsable)

Applications that are unsigned cannot be installed on real devices. 

If the application is signed with the debug.keystore certificate, you will see something like this:

sm       652 Wed Mar 27 13:17:20 SGT 2013 res/layout/activity_main.xml

      X.509, CN=Android Debug, O=Android, C=US
      [certificate is valid from 3/19/12 8:23 PM to 3/12/42 8:23 PM]

sm       464 Wed Mar 27 13:17:20 SGT 2013 res/menu/main.xml

      X.509, CN=Android Debug, O=Android, C=US

Look for the "CN=Android Debug" phrase. This tells you that the APK is signed with the debug.keystore certificate, which means that it cannot be installed on a real device (unless through Eclipse). 

No comments: