Code signing an android app

[srbarlow3]

I'm getting ready to deploy my app to the Google play store and am trying to build a signed standalone. I chose the option of building a signed standalone by adding the reference to the keystore file in the standalone settings. I created a keystore file using the keytool application in Terminal on my Macintosh. It seemed to generate the needed file. I question is this: Is there anyway to confirm that is correctly signed prior to uploading mu .APK to the Google play store?

I tried emailing the signed file to my android device and installing it, but before installing it still says that the file is from an unknown source. Should I be able to do this if the file is correctly signed? After all I went through to code sign my iOS version of the app, this seems way too easy. I question how much security is involved if it is this easy to self-sign my app.

I also saw a post in searching this subject on the forum that I didn't understand fully but it seemed to say that jarsigner might be the only way to successfully sign an app in LC 6.5.

Any help is greatly appreciated

Russ

[srbarlow3]

An answer to my own question which I will document here for future searchers.

I generated the key and built the file both ways, in the standalone using the standalone builder with reference to the keystone file and by building the apt without a mean and adding it with jar signer.

Afterward I used jarsigner commands to verify the file was correctly signed:

http://www.mobileqazone.com/forum/topic ... r-unsigned

Another way I found includes renaming a copy of the file with a .zip suffix, opening it and looking for a META-INF folder as described here:

http://appopus.wordpress.com/2013/05/31 ... correctly/

So I have a relative confidence that my app is correctly signed for Google Play...I guess it needs to be downloaded from the store to install without a security override on the device.

[MaxV]

In order to sign correctly an app created with Livecode:

• use don't sign option in Livecode standalone option
• sign the app with:

  Code: Select all

  jarsigner.exe -sigalg MD5withRSA -digestalg SHA1 -verbose -keystore myKey.keystore myApp.apk myalias

jarsigner program is in c:/Program Files/Java/JDK/bin/ folder.
Then you can install your app in any way on your device (download, copy on the device, etc.)

[newtronsols]

I installed a demo apk on my mobile following the Livecode instructions:
1. Works fine when no private key - dev mode.
2. When it has a private key generated with keytool.exe it won't work when the apk is copied directly onto my mobile. Though it tests fine via usb.
3. Also this same apk won't work when uploaded onto Google Play and downloaded to a phone - says Package file was not signed correctly.
4. Java 7 install doesn't seem to have the jarsigner.exe - where is this? [windows]
5. General advice on the web seems to revolve around using MD5withRSA and using java 6.
6. Need a better way to test the keytool.exe variations typing in command lines and making simple errors is very tiring. Needs an app.

[MaxV]

I installed a demo apk on my mobile following the Livecode instructions:
1. Works fine when no private key - dev mode.

Yes, but you can't upload it on stores. You need to sign correctly it.

2. When it has a private key generated with keytool.exe it won't work when the apk is copied directly onto my mobile. Though it tests fine via usb.
3. Also this same apk won't work when uploaded onto Google Play and downloaded to a phone - says Package file was not signed correctly.
4. Java 7 install doesn't seem to have the jarsigner.exe - where is this? [windows]

You need JDK (the java development kit), just Java doesn't permit to develop programs. Mine jarsigner is in C:\Programmi\Java\jdk1.7.0_51\bin\

[newtronsols]

I have gone so far as develop a Livecode app to try to resolve - but I'm still unable to get an app with a private key created via keytool.exe to run on my mobile phone: either copying the apk or via Google Play.

I have tried various permutations to get it to work without success.

[MaxV]

Here are all the steps:

1. Create an program with livecode
2. In File -> Standalone Application Settings... -> Android -> Signing choose do not sign
3. Create the Android app with File -> Save as Standalone application (for example you obtained myApp.apk)
4. Create a valid key with Oracle JDK keytool, this is the command on windows:

   Code: Select all

   keytool.exe -genkey -v -keystore mykey.keystore -alias myalias -keyalg RSA -validity 10000

   Keytool will ask you a lot of questions: please note that all answers supplied of the proposed questions by keytool must be different.
5. Sign the app with Oracle JDK jarsigner, this is the command on windows:

   Code: Select all

   jarsigner.exe -sigalg MD5withRSA -digestalg SHA1 -verbose -keystore myKey.keystore myApp.apk myalias

I hope this help you.

[newtronsols]

Finally got all the ducks in a row

1. Created a private key - using keytool.exe - stored in 'mykey.keystore'
2. Created my livecode app - setting 'do not sign' - e.g. demo.apk
3. Used jarsigner.exe to sign the ' demo.apk' - so adding private key details from 'mykey.keystore' and correct encryption etc
4. ran zipalign.exe to align - so no problems with Google Play.
5. Able to successfully upload to Google Play - no errors.
6. Able to download/install my 'demo.apk' from Google Play - no errors.