[TECH] ANDROID APP SIGNING & ZIPALIGN
Android apps can be created using a variety of programming language and development programs.
These Android apps are distributed through various channels and are installed on Android devices.
These Android apps are distributed through various channels and are installed on Android devices.
In order to build a completed Andrioid apps, a signing procedure is required to identify the app creator.
Usually, the development program does this automatically, so no extra work is needed. However, if you apply security services such as LIAPP to an app, the app package will change, and you will have to sign it manually.
sign your app by google
Signing with jarsigner
You can sign the Android app using either apksigner or jarsigner.
Apksigner is a tool provided by Android SDK Build Tools of version 24.0.3 and later and can only be signed on apk files.
Jarsigner is a tool included in Java that can be signed both apk and an aab(Android App Bundle) files.
In this post, we will be specifically covering how to sign with jarsigner.
[ Preparations ]
- JAVA ( jarsigner )
- Key file ( .keystore or .jks )
- Alias and PassPhrase (password) that were set when key file was created
Jarsigner can be simply used by entering command lines in the form presented below on programs such as cmd in Windows or terminal in Mac.
[ APK ]
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore "KEYSTORE_PATH" "APP_FILE_PATH" "ALIAS_NAME"
[ AAB ]
jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 -keystore "KEYSTORE_PATH" "APP_FILE_PATH" "ALIAS_NAME"
What we need to focus on here is the part marked with double quotation marks (").
[ KEYSTORE_PATH ]
- Enter the path to the keystore.
- Usually, it has an extension of .keystore or .jks.
* How to check the keystore in Android Studio
Build Menu => Generate Signed Bundle / APK => Select Android Aab Bundle or APK => Check Key store path
* How to check keystore from Unity
File Menu => Build Settings => Player Settings => Publishing Settings => Check the Path=> Check the location of a file with the identified name
[ APP_FILE_PATH ]
- Enter the path to the app file you wish to sign.
[ ALIAS_NAME ]
- Enter the Alias name created when you created the key.
* How to check Alias from Android Studio
Build menu => Select Generate Signed Bundle / APK => Select Android Aab Bundle or APK => Check Key alias
* How to check Alias from Unity
File Menu => Build Settings => Player Settings => Publishing Settings => Check Alias
A message to enter the password for the keystore will appear once you proceed a command.
Enter Passphrase for keystore:
When typing the keystore password, the password characters will not be displayed on the screen, but are actually entered.
In the case where incorrect password is entered, an error message as show below will appear.
In the case where incorrect password is entered, an error message as show below will appear.
jarsigner error: java.lang.RuntimeException: keystore load: Keystore was tampered with, or password was incorrect
Once the correct keystore password has been entered, you will proceed to the next step.
If the keystore password and key password are identical, the signing will proceed immediately.
If the keystore password and key password are different, you will be prompted to enter the key password.
If the keystore password and key password are identical, the signing will proceed immediately.
If the keystore password and key password are different, you will be prompted to enter the key password.
Enter key password for ALIAS_NAME:
Once the correct key password has been entered, signing will proceed and "jar signed." will be displayed when the siging is completed.
jarsigner command in windows cmd
In the command line, the -storepass and -keypass options allow you to specify and execute passwords in advance.
If you use this option, a message to enter the password will be not displayed; instead, password will be automatically entered.
[ APK ]
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore -storepass [Keystore_password] -keypass [Key_password] "KEYSTORE_PATH" "APP_FILE_PATH" "ALIAS_NAME"
[ AAB ]
jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 -keystore -storepass [Keystore_password] -keypass [Key_password] "KEYSTORE_PATH" "APP_FILE_PATH" "ALIAS_NAME"
Occasionally, there is a case when receiving an error message although a valid password has been entered.
In this case, you should first check whether the keystore or Alias information is entered correctly.
Errors can also occur if the file name and path contain spaces or special characters.
APK zipalign
APK files that have been signed with jarsigner require further sorting using zipalign.
There are no problems with installation and execution without zipalign, but it may fail when registering with the App Market for distribution.
For AAB files, there is no official guide to zipalign, so it is not required.
You can run the command line in the form below for zipalign.
There are no problems with installation and execution without zipalign, but it may fail when registering with the App Market for distribution.
For AAB files, there is no official guide to zipalign, so it is not required.
You can run the command line in the form below for zipalign.
zipalign -f -v 4 "apk file Path that needs zipalign" "apk file Path that will be saved after zipalign-ing "
zipalign command in windows cmd
Signing & zipalign with script file
So far, we've learned how to sign and zipalign manually.
The script file below is a sample script that will make signing and zipalign easier.
Please see details below for your information using sample script.
Open the downloaded file in Notepad or Text Editor, modify it based on the contents below, and save the file.
The zipalign file is located in build-tools in the path where Android SDK is installed.
If you want to enter your own password without saving it, the -storepass and -keypass related options need to be removed.
Windows users can drag the app file to be signed to the LIAPP_sign_window.bat file and it will run immediately.
MAC users can run a terminal program either by dragging script files and app files in order, or entering paths as shown below.
The script file below is a sample script that will make signing and zipalign easier.
[ script for windows ]
[ script for MAC ]
Please see details below for your information using sample script.
Open the downloaded file in Notepad or Text Editor, modify it based on the contents below, and save the file.
KeyStorePath=" Keystore path "
ALIAS_NAME="alias name"
STORE_PASS=" Keystore Password"
KEY_PASS="Key password"
ZIP_ALIGN="zipalign File Path"
The zipalign file is located in build-tools in the path where Android SDK is installed.
If you want to enter your own password without saving it, the -storepass and -keypass related options need to be removed.
Windows users can drag the app file to be signed to the LIAPP_sign_window.bat file and it will run immediately.
MAC users can run a terminal program either by dragging script files and app files in order, or entering paths as shown below.
Ex. /Users/username/Downloads/LIAPP_sign_mac.sh /Users/username/AndroidStudioProjects/MyApplication/app/release/app-release.apk
Script run on MAC terminal
When running normally, contents such as \bs"signing: path/file" will be displayed and "jar signed." will be displayed when completed. If "jar signed." does not appear and an error occurs, check the relevant information and close the window. After that, take action on the error and re-run it. If the script has no problem running normally, contents such as "signing: path/file" will be displayed and "jar signed." will also appear once completed.
If an error appears rather than "jar signed.", check the related information provided and close the window.
Then, take action on the error and run it again.
Errors can also occur if the file name and path contain spaces or special characters.
APK files must be signed first and then zipaligned.
If the message "jar signed." has been confirmed without any issues during the signing process, press any key to proceed with the next zipalign steps.
A message with "Verification succesful" will be shown if zipalign is successfully completed.
The zipalign completed file is saved with _zipaligned following the file name.
For more information on signing and zipalign using jarsigner, please refer to the URL below.
jarsigner : https://docs.oracle.com/javase/8/docs/technotes/tools/windows/jarsigner.html
app-signing : https://developer.android.com/studio/publish/app-signing
zipalign : https://developer.android.com/studio/command-line/zipalign
LIAPP, we provide the best service possible.
If an error appears rather than "jar signed.", check the related information provided and close the window.
Then, take action on the error and run it again.
Errors can also occur if the file name and path contain spaces or special characters.
APK files must be signed first and then zipaligned.
If the message "jar signed." has been confirmed without any issues during the signing process, press any key to proceed with the next zipalign steps.
A message with "Verification succesful" will be shown if zipalign is successfully completed.
The zipalign completed file is saved with _zipaligned following the file name.
For more information on signing and zipalign using jarsigner, please refer to the URL below.
jarsigner : https://docs.oracle.com/javase/8/docs/technotes/tools/windows/jarsigner.html
app-signing : https://developer.android.com/studio/publish/app-signing
zipalign : https://developer.android.com/studio/command-line/zipalign
LIAPP, we provide the best service possible.
#android_application_security #ios_application_security #ios_application_security #source_code_hardening #android_app_bundle #AAB #APK #Android App Bundle #Mobile_app_security #App_security_service #Game_security_service #Sourcecode_protection #Obfuscation #Sourcecode_security #app_anti_tampering #Memory_dump_prevention #Malware_detection #Hackingtool_detection #Repackaging_prevention #Memory_security