How to Sign Android APK or Zip Files
When publishing an application or a custom rom you need to sign the .apk or .zip files with a certificate using a private key. The Android system uses the certificate to identify the author of an application and establish trust relationship between applications. The classic way of doing this was to use keytool then sign it with jarsigner. In this tutorial i’ll explain an alternative method which is relatively easy to use for most people using a tool called SignApk.jar.
SignApk.jar is a tool included with the Android platform source bundle, you can download it from here. To use SignApk.jar you have to create a private key with it’s corresponding certificate/public key. To create private/public key pair, you can use Openssl. Openssl is relatively easy to use under unix/linux system. For Windows user, you can download Windows version of Openssl here.
How to create private/public key pair using openssl (windows version)
- Download openssl package from link given above
- Extract it anywhere on your drive (eg. C:\openssl)
- Within openssl directory type (use cmd tool):
- openssl genrsa -out key.pem 1024
- openssl req -new -key key.pem -out request.pem
- openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem
- openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt
How to sign apk or zip files using SignApk.jar:
- Download SignApk.rar from link given above
- Extract it anywhere on your drive (eg. c:\SignApk)
- If you don’t have java installed, download and install it.
- Copy certificate.pem and key.pk8 into your extracted SignApk directory
- Within SignApk directory type:
java -jar signapk.jar certificate.pem key.pk8 your-app.apk your-signed-app.apk
OR
java -jar signapk.jar certificate.pem key.pk8 your-update.zip your-signed-update.zip
Note:
If you don’t want to create your own public/private key pair, you can use test key included in SignApk.rar.
Reference:
Related post:
36 Responses to “How to Sign Android APK or Zip Files”
Leave a Reply
-
Subscribe in a reader
Atom Feed URL
nice one.. but the which version of openssl that we use here?
version 0.9.8k, download it from link given above.
but what to type in “your-update.zip your-signed-update.zip”
your-update.zip= file to be signed, you can choose any names (ex: tomcat.zip etc)
your-signed-update.zip = output file name, any names as you want (ex: tomcat-signed.zip)
[...] I forgot how we figured out how to sign it and such. A MM theme would be swank. you can use signapk to sign… or just wait for the MM file __________________ The Germ Series, DroidMod & [...]
I tried it and it works – thanks a million!
This is a very useful technique. thanks for blogging about it .
I’m getting an error that the command prompt is unable to write random state. Any ideas on how to fix this?
I have windows and this was a pain for me. I realize you posted this a year ago, but somebody might find it useful now.
This is what I ended up getting to worK:
1) Save your OpenSSL under C:\
2) Open command prompt
3) Type the following:
cd C:\OpenSSL\Bin
set RANDFILE=.rnd
openssl genrsa -out key.pem 1024
openssl req -new -key key.pem -config “C:\OpenSSL\ssl\openssl.cnf” -out request.pem
openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem
openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt
4) afterwords you must follow the instructions at the top of this post:
“How to sign apk or zip files using SignApk.jar”
I’d also suggest copying my instructions into a notepad and take off word wrap since this narrow comment section makes the command prompt stuff hard to decipher.
Thanks for the post! I have access denied on the last command… The .apk was signed and then I needed to change something small in the .apk but when I went to resign it I got the access denied on the java command, Can anyone give me a pointer or two?
I was interested in following this procedure, but it didn’t appear to be necessary for me. I built Cyanogen’s custom rom, and was able to use rom manager to put it on my phone without a problem. Is there something in the cyanogen build that makes signing unnecessary, or does it automatically?
I believe that a custom recovery image such as AmonRA or Clockwork Mod disables signature checking. At least on my phone with Clockwork Mod, there’s a menu option to toggle it.
[...] aplikacje npo jak tu How to Sign Android APK or Zip Files | All About Web & Mobile Application Development i zobacz czy bedzie dzialac __________________ Motywy na LG GT540 czyli Metamorph – [...]
Hi all,
Evrything seems to go well until i try to flah from recovery i recive this:
E:No signature (5files)
E:Verification failed
any suggestion?
I have the same issue.
As do I. And I’m not yet able to find any info on the web re: this. I’m running AmonRA recovery 1.7.0 and Android COS-DS (based on CyanogenMod and AOSP sources). I don’t like the ringtones that come with it, so I made an update.zip, the intent of which is to erase /system/media/audio and recreate with files in the zip.
[...] this error signature verification failed Installation aborted i tryed sind the update.zip How to Sign Android APK or Zip Files | All About Web & Mobile Application Development but aways i stop on signature verification [...]
Thanks it works just this command is incorrectly written above.
openssl req -new -key key.pem -config C:\opt\tools\openssl\openssl.cnf -out request.pem
But its pretty handy.Thanks
Or simply:
openssl req -new -key key.pem -config ..\openssl.cnf -out request.pem
Then no matter where the user has the files stored it should find it.
[...] -jar signapk.jar certificate.pem key.pk8 <update.zip> <update_signed.zip> Tutorial: How to Sign Android APK or Zip Files | All About Web & Mobile Application Development Regards Reply With [...]
[...] [...]
does any body know to change a apk file resolution
[...] ROM簽名工具下載:使勁點擊 [...]
Excellent! It worked perfectly! Thanks!
bom mrm
Worked flawlessly thanks a ton!!!
How can i see private keys.After carrying first 3 steps in command prompt it is showing “GETTING PRIVATE KEY” in the end,where should i go to see those keys
Hi there. I did the same way that you mentioned. But stil there is a famous message “E:signature verification failed”
HTC Sensation XE, HBOOT1.18.0000->1.17.1111
[...] [...]
How do you create private/public key pair using openssl linux?
Singing is explained nicely thank you, but my query is,how can we know that the file is singed or not?
nice, dude. thanks for the tips
pero donde tengo que poner la apk? para poder firmar?…
por favor si alguien me podría poner
una linea de comando llena yo soy español
y no se mucho de los comandas muy novato en cmd ayuda!!!
How do I create the required md5 from all this for input to Google to get a Maps API key?
[...] http://www.londatiga.net/it/how-to-sign-apk-zip-files/ [...]