When a release build is generated, it is usually unsigned and before it can be uploaded to play store, it requires signing with a digital certificate. This is done to ensure the authenticity of the application. Only the developer has access to this certificate hence, only he/she can release versions of the application.
Before you go ahead to sign your apk or app bundle, you would require a keystore.
What is a keystore?
Keystore is a repository of security certificates that holds both public and private keys which are used to digitally sign an android application. Each keystore is unique to an application. A Keystore can be generated using a Keytool. A keytool is a tool that is pre-packaged with java JDK.
How to generate a Keystore
A Keystore can be generated using the command line below:
$ keytool -genkey -v -keystore release-key.keystore -alias alias_myapp -keyalg RSA -keysize 2048 -validity 10000
After the command has been executed successfully. You will be prompted to create a keystore password followed by other tool questions. In the end, you should have a file release-key.keystore created in the directory specified.
It is very important to keep this file safe because if you lose it, you will not be allowed to push updates to your app.
Zipalign Tool
This tool is used to zipalign an app. Zipalign is an optimization process that restructures the resources in the application that enables it to run more efficiently. It is usually done when an application is about to be released publicly on google playstore. The tool can be found in the following path ~/Library/Android/sdk/build-tools/VERSION/zipalign for Mac.
You can zipalign your app with the command line below:
zipalign -v 4 myapp-release-unsigned.apk myapp.apk
An unsigned APK can be signed in two ways:
- jarsigner
- apksigner
Jarsigner
jarsigner supports only "APK Signature Scheme v1 (JAR-based signing scheme). It is a general tool that is used to sign jar files. The tool does not support signing an app bundle and an APK with API Level 30 and above.
Using a jarsigner, the app has to be signed first before running a zipalign command.
Assume you already have JDK installed, change the directory to the path where you have the unsigned app and keystore then run the following command:
$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore release-key.keystore myapp-release-unsigned.apk alias_myapp.
After running this command, a new file will not be generated. However, it will sign the unsigned apk without altering the file name and size.
The next step is to run the zipalign command to optimize the apk.
zipalign -v 4 myapp-release-unsigned.apk myapp.apk
This generates the final release binary myapp.apk that can now be uploaded to google play for users to install.
Apksigner
This signing method supports both APK Signature Scheme v1 and v2. It's a utility of the Android SDK that is available from SDK v24.0.3. It is located at
$HOME/ Library/Android/sdk/build-tools/24.0.3/ (for Mac).
The command line below can be used to sign an apk with apksigner:
apksigner sign --ks release-key.keystore myapp.apk
After executing this command you will be asked to input the keystore password.
Note: For apksigner, zipalign has to be done first before signing which is different from jarsigner. This is because any action on the apk after signing is completed alters its authenticity.
I hope you find this article helpful.