Logo Icon Logo
A Crowd-sourced Cookbook on Writing Great Android® Apps
GitHub logo Twitter logo OReilly Book Cover Art
Creating a Signing Certificate and Using it to Sign Your ApplicationBack to Android Cookbook Home | Up to Chapter: Packaging, deploying and selling

Author: Zigurd Mednieks ('zigurd')
In Published Edition? Yes
FormatLanguage: WikiFormat

Creating a Signing Certificate and Using it to Sign Your Application


You want to publish an application, and you need a "signing key" to complete the process.


Use the standard JDK tool keytool to generate a self-signed certificate.


Google has stated that one of its intentions with Android was to minimize the hassle of getting applications signed. You don't have to go to a central signing authority to get a signing certificate; you can create the certificate yourself. Once you generate the certificate, you can sign your application using the jarsigner tool that comes with the Java JDK. Once again, you don't need to apply for or get anyone's approval. As you'll see, it's about as straightforward as signing can be.

To sign your application, you are going to create an encrypted signing certificate and use it to sign your application. You can sign every Android application you develop with the same signing certificate. You can create as many signing certificates as you want, but you really need only one for all your applications. And using one certificate for all your applications lets you do some things that you couldn't do otherwise:

Signing certificates are tied to the application package name, so if you change the signing certificate you use with subsequent versions of your application, you'll have to change the package name, too. Changing certificates is manageable, but messy.

When all your applications share the same signing certificate, they can run in the same Linux process. You can use this to separate your application into smaller modules (each one an Android application) that together make up the larger ap- plication. If you were to do that, you could update the modules separately and they could still communicate freely.

Android lets you enable or restrict access to parts of your application based on the requester's signing certificate. If all your applications share the same certificate, it's easy for you to reuse parts of one application in another.

When you generate a key pair and certificate you'll be asked for the validity period you desire for the certificate. Although usual practice in web site development is to use one or two years, Google recommends that you set it for at least 25 years, and in fact, if you're going to use Android Market to distribute your application, it requires a validity date at least until October 22, 2033 (25 years to the day from when they opened Android Market) for your certificate.

Generating a key pair (public and private keys) and a signing certificate

To generate a pair of public/private keys, use a tool called keytool, which came with the Sun JDK when you installed it onto your development computer. keytool asks you for some information and uses that to generate the pair of keys:

keytool is pretty straightforward. From your operating system's command line, enter something like:

$ keytool -genkey -v -keystore myapp.keystore -alias myapp -keyalg RSA
 -validity 10000

This asks keytool to generate a key pair and self-signed certificate (-genkey) in verbose mode (-v), so you get all the information, and put it in a keystore called myapp.keystore (-keystore). It also says that in the future you want to refer to that key by the name myapp (-alias), and that keytool should use the RSA algorithm for generating public/private key pairs (-keyalg). Finally, we say that we'd like the key to be valid for 10,000 days (-validity), or about 27 years.

keytool will prompt you for some things it uses to build the key pair and certificate:

thing like "self" if you aren't developing for a company)

keytool will then echo all this information back to you to make sure it's accurate, and if you confirm the information, will generate the key pair and certificate. It will then ask you for another password to use for the key itself (and give you the option of using the same password you used for the keystore). Using that password, keytool will store the key pair and certificate in the keystore.

See Also

If you're not familiar with the algorithms used here such as RSA and MD5, well, you don't actually need to know much about them. Assuming you've a modicum of intellectual curiostity, you can find out all you need to know about them with any good web search engine.

You can get more information about security, key pairs, and the keytool utility on Sun's website at http://java.sun.com/j2se/1.5.0/docs/tooldocs/#security.