Jan 12, 2013

Signing Android aplications

If we want to be able to create our own ROM packages or updates as a flashable zip via custom recovery, we need to be able to sign them, so the recovery will install them without problems. There are several scripts that will let you sign your packages, but here you will learn to create your own signature so you can use it for signing your packages.

As the basic requirement, we need to have a JDK installation with keytool and jarsigner binaries. If we have them in our PATH we won't need to reference them with their full path. If you don't have the binaries in your path don't worry, you will just need to provide the full path to the binary, for example: "C:\Program Files\JDK\bin\keytool"

Creating our own signature
We will be creating a keystore file that will have our signature saved, so we can use it afterwards to sign our packages. To create a keystore, we use the following command:
keytool -genkey -v -keystore file.keystore -alias key_alias
-keyalg RSA -keysize 2048 -validity 10000
This command will create us a keystore named file.keystore with the alias key_alias that will last 10000 days. Once we hit enter, it will ask for the details of the keystore. You can complete it with the default values or just add yours.

Signing things!
Once we've got our keystore file, we can use it to either sign applications (.apk) or packages (.zip).

  • Signing applications:
    jarsigner -verbose -keystore file.keystore
    example_app.apk key_alias
  • Signing packages:
    jarsigner -verbose -keystore file.keystore
    -signedjar signed_update.zip update.zip key_alias
Once signed, we can verify the signature with the following command:
jarsigner -verify [ example_app.apk | signed_update.zip ]
Now we're able to either modify applications and then sign them back or create our custom packages or ROMs and then install them from recovery without signature problems.