Creating a Signing Certificate and Using it to Sign Your Application
In Chapter: Packaging, deploying and selling
Author: Zigurd Mednieks ('zigurd')
You want to publish an application, and you need a "signing key" to complete the process.
Use the standard JDK tool keytool to generate a self-signed certificate.
Google has stated that one of its intentions with Android was to minimize the hassle of getting applications signed. You don't have to go to a central signing authority to get a signing certificate; you can create the certificate yourself. Once you generate the certificate, you can sign your application using the jarsigner tool that comes with the Java JDK. Once again, you don't need to apply for or get anyone's approval. As you'll see, it's about as straightforward as signing can be.
To sign your application, you are going to create an encrypted signing certificate and use it to sign your application. You can sign every Android application you develop with the same signing certificate. You can create as many signing certificates as you want, but you really need only one for all your applications. And using one certificate for all your applications lets you do some things that you couldn't do otherwise:
Signing certificates are tied to the application package name, so if you change the signing certificate you use with subsequent versions of your application, you'll have to change the package name, too. Changing certificates is manageable, but messy.
- Multiple applications per process:
When all your applications share the same signing certificate, they can run in the same Linux process. You can use this to separate your application into smaller modules (each one an Android application) that together make up the larger ap- plication. If you were to do that, you could update the modules separately and they could still communicate freely.
Android lets you enable or restrict access to parts of your application based on the requester's signing certificate. If all your applications share the same certificate, it's easy for you to reuse parts of one application in another.
When you generate a key pair and certificate you'll be asked for the validity period you desire for the certificate. Although usual practice in web site development is to use one or two years, Google recommends that you set it for at least 25 years, and in fact, if you're going to use Android Market to distribute your application, it requires a validity date at least until October 22, 2033 (25 years to the day from when they opened Android Market) for your certificate.
Generating a key pair (public and private keys) and a signing certificate
To generate a pair of public/private keys, use a tool called keytool, which came with the Sun JDK when you installed it onto your development computer. keytool asks you for some information and uses that to generate the pair of keys:
- A private key that will be kept in a keystore on your computer, secured with passwords. You will use the private key to sign your application, and if you need a Map API Key for your application, you will use the MD5 fingerprint of the signing certificate to generate the Map API Key.
- A public key that Android can use to decrypt your signing certificate. You will send the public key along with your published application so that it can be made avail- able in the runtime environment. Signing certificates are actually checked only at install time, so once installed, your application is good to run, even if the certificate or keys expire.
keytool is pretty straightforward. From your operating system's command line, enter something like:
$ keytool -genkey -v -keystore myapp.keystore -alias myapp -keyalg RSA
This asks keytool to generate a key pair and self-signed certificate (-genkey) in verbose mode (-v), so you get all the information, and put it in a keystore called myapp.keystore (-keystore). It also says that in the future you want to refer to that key by the name myapp (-alias), and that keytool should use the RSA algorithm for generating public/private key pairs (-keyalg). Finally, we say that we'd like the key to be valid for 10,000 days (-validity), or about 27 years.
keytool will prompt you for some things it uses to build the key pair and certificate:
- A password to be used in the future when you want to access the keystore
- Your first and last names
- Your organizational unit (the name for your division of your company, or some-
thing like "self" if you aren't developing for a company)
- Your organization name (the name of your company, or anything else you want to use)
- The name of your city or localitY
- The name of your state or province
- The two-letter country code where you are located
keytool will then echo all this information back to you to make sure it's accurate, and if you confirm the information, will generate the key pair and certificate. It will then ask you for another password to use for the key itself (and give you the option of using the same password you used for the keystore). Using that password, keytool will store the key pair and certificate in the keystore.
If you're not familiar with the algorithms used here such as RSA and MD5, well, you don't actually need to know much about them. Assuming you've a modicum of intellectual curiostity, you can find out all you need to know about them with any good web search engine.
You can get more information about security, key pairs, and the keytool utility on Sun's website at http://java.sun.com/j2se/1.5.0/docs/tooldocs/#security.