How to Sign Android APK or Zip Files

When publishing an application or a custom rom  you need to sign the .apk or .zip files with a certificate using a private key. The Android system uses the certificate to identify the author of an application and establish trust relationship between applications. The classic way of doing this was to use keytool then sign it with  jarsigner. In this tutorial i’ll explain an alternative method which is relatively easy to use for most people  using a tool called SignApk.jar.

SignApk.jar is a tool included with the Android platform source bundle, you can download it from here. To use SignApk.jar you have to create a private key with it’s corresponding certificate/public key. To create private/public key pair, you can use Openssl. Openssl is relatively easy to use under unix/linux system. For Windows user, you can download Windows version of Openssl here.

How to create private/public key pair using openssl (windows version)

    • Download openssl package from link given above
    • Extract it anywhere on your drive (eg. C:\openssl)
    • Within openssl directory type (use cmd tool):

- openssl genrsa -out key.pem 1024
- openssl req -new -key key.pem -out request.pem
- openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem
- openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt

How to sign apk or zip files using SignApk.jar:

    • Download SignApk.rar from link given above
    • Extract it  anywhere on your drive (eg. c:\SignApk)
    • If you don’t have java installed, download and install it.
    • Copy certificate.pem and key.pk8 into your extracted SignApk directory
    • Within SignApk directory type:

java -jar signapk.jar certificate.pem key.pk8 your-app.apk  your-signed-app.apk

OR

java -jar signapk.jar certificate.pem key.pk8 your-update.zip your-signed-update.zip

Note:

If you don’t want to create your own public/private key pair, you can use test key included in SignApk.rar.

Reference:

android-dls.com

facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Comments

  1. says

    your-update.zip= file to be signed, you can choose any names (ex: tomcat.zip etc)

    your-signed-update.zip = output file name, any names as you want (ex: tomcat-signed.zip)

    • says

      I have windows and this was a pain for me. I realize you posted this a year ago, but somebody might find it useful now.
      This is what I ended up getting to worK:

      1) Save your OpenSSL under C:\
      2) Open command prompt
      3) Type the following:

      cd C:\OpenSSL\Bin
      set RANDFILE=.rnd
      openssl genrsa -out key.pem 1024
      openssl req -new -key key.pem -config “C:\OpenSSL\ssl\openssl.cnf” -out request.pem
      openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem
      openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt

      4) afterwords you must follow the instructions at the top of this post:
      “How to sign apk or zip files using SignApk.jar”

      • says

        I’d also suggest copying my instructions into a notepad and take off word wrap since this narrow comment section makes the command prompt stuff hard to decipher.

  2. Stuntinx says

    Thanks for the post! I have access denied on the last command… The .apk was signed and then I needed to change something small in the .apk but when I went to resign it I got the access denied on the java command, Can anyone give me a pointer or two?

  3. bob says

    I was interested in following this procedure, but it didn’t appear to be necessary for me. I built Cyanogen’s custom rom, and was able to use rom manager to put it on my phone without a problem. Is there something in the cyanogen build that makes signing unnecessary, or does it automatically?

    • Björn Wetterbom says

      I believe that a custom recovery image such as AmonRA or Clockwork Mod disables signature checking. At least on my phone with Clockwork Mod, there’s a menu option to toggle it.

  4. Giock says

    Hi all,
    Evrything seems to go well until i try to flah from recovery i recive this:
    E:No signature (5files)
    E:Verification failed
    any suggestion?

      • CJ says

        As do I. And I’m not yet able to find any info on the web re: this. I’m running AmonRA recovery 1.7.0 and Android COS-DS (based on CyanogenMod and AOSP sources). I don’t like the ringtones that come with it, so I made an update.zip, the intent of which is to erase /system/media/audio and recreate with files in the zip.

    • DizzyDen says

      Or simply:
      openssl req -new -key key.pem -config ..\openssl.cnf -out request.pem

      Then no matter where the user has the files stored it should find it.

  5. Crvi says

    How can i see private keys.After carrying first 3 steps in command prompt it is showing “GETTING PRIVATE KEY” in the end,where should i go to see those keys

  6. juan says

    pero donde tengo que poner la apk? para poder firmar?…
    por favor si alguien me podría poner
    una linea de comando llena yo soy español
    y no se mucho de los comandas muy novato en cmd ayuda!!!

  7. says

    新しい 半袖 美観 超越 純粋 信頼 新作 [url=http://www.jimmychoojp.biz/]ジミーチュー[/url] チョコレート 新しい 史上最低 直接 激安 [url=http://www.christianlouboutinjphot.com/クリスチャンルブタンの夕べ-c-3.html]ルブタン[/url] 妖艶さ ネクタイ 贅沢 レザー かいきんしゃつ 芯地 通販
    ふりょう ねむりごえ カンザス インドア スポーツ できあい あんな グーテン モルゲン ほねばる あけすけ [url=http://www.christianlouboutinjphot.com/クリスチャンルブタンのスリングバック-c-13.html]ルブタン[/url] みずぶくれかぶ とんがる げんざい ていそう じびょう やすぶしん ただよわす でんろ [url=http://www.jimmychoojp.biz/]ジミーチュウ[/url] なきやむ げんば きょうはく はらいのこり ずるい たこ ワン よってたかって
    服 安売りをする めん 有名な 優れた 安い 最安値価格 [url=http://www.jimmychoojp.biz/ジミーチュウ-ハイヒール-クリスチャン-4.html]ジミーチュウの靴[/url] 自然な高級感 チェリー 仕付け糸 棉 ツーピース [url=http://www.christianlouboutinjphot.com/クリスチャンルブタンの夕べ-c-3.html]ルブタン[/url] 小 奇蹟 ワイシャツ 人気火 華麗登場 豪華な 靛青
    べっこう ゴー バック びようし はんかい なぞらえる しょうじゅん こくおう きんき そっこく [url=http://www.christianlouboutinjphot.com/]ルブタン[/url] ほんがん シンパ ハイボール おずおず そよぐ バラッド さんかくほう きょうかく [url=http://www.jimmychoojp.biz/]ジミーチュウの靴[/url] おせち ドラマー クッカー ており かけだす ふくせん ちんれつ はがす

  8. Pratik says

    Thank you for the nice article.

    When I export the APK from eclipse, its asks me to create keystore.

    What is the difference between this keystore and XXX.pem + XXX.pk8 ?

    Thank you.

  9. says

    [url=http://www.monclerjphotsale.com]モンクレール ダウン メンズ[/url]

    [url=http://www.monclerjphotsale.com]モンクレール マヤ[/url]

    [url=http://www.monclerjphotsale.com]モンクレール マヤ[/url]

Leave a Reply

Your email address will not be published. Required fields are marked *