[Android] Digital Certificate For Android Applications

Hi guys,
It's been a while since my last entry cause I'm on my way fighting exams at school :((

Well ... This entry is about Android. But it's not about source code or coding an app (application). Actually it's besides Android apps ^^ One of my friends made an application, and now he wants to distribute this app to Android public - community.

He asked me how to "sign" on his app. Hope this entry help him and - of course - anyone.
-----------------------------------------------------------------------------------------------------------------------------------------------

There are ways of making a digital certificate for your apps

• Using cmd (Keytool & Jarsigner) (this entry is just about this way)
• Through Eclipse
• Using some softwares (eg.: Key Store Explorer)
• ......

1. Keytool & Jarsigner

Keytool helps us manage public/private key pairs and associated certificates

Jarsigner generates signatures for Java Archive (JAR) files, and verifies the signatures of signed JAR files.

The info below is the summary I've got after browsing page: http://developer.android.com/guide/publishing/app-signing.html. You can browse this page for further information 

Before you begin, make sure that the Keytool utility and Jarsigner utility are available to the SDK build tools. Both of these tools are available in the JDK. To generate a self-signed key with Keytool, use the keytool command and pass any of the options listed below.

Keytool Option	Description
-genkey	Generate a key pair (public and private keys)
-v	Enable verbose output.
-alias	An alias for the key. Only the first 8 characters of the alias are used.
-keyalg	The encryption algorithm to use when generating the key. Both DSA and RSA are supported.
-keysize	The size of each generated key (bits). If not supplied, Keytool uses a default key size of 1024 bits. In general, we recommend using a key size of 2048 bits or higher.
-dname	A Distinguished Name that describes who created the key. The value is used as the issuer and subject fields in the self-signed certificate. Note that you do not need to specify this option in the command line. If not supplied, Jarsigner prompts you to enter each of the Distinguished Name fields (CN, OU, and so on).
-keypass	The password for the key. As a security precaution, do not include this option in your command line. If not supplied, Keytool prompts you to enter the password. In this way, your password is not stored in your shell history.
-validity	The validity period for the key, in days. Note: A value of 10000 or greater is recommended.
-keystore .keystore	A name for the keystore containing the private key.
-storepass	A password for the keystore. As a security precaution, do not include this option in your command line. If not supplied, Keytool prompts you to enter the password. In this way, your password is not stored in your shell history.

 Here's an example of a Keytool command that generates a private key:

$ keytool -genkey -v -keystore my-release-key.keystore-alias alias_name -keyalg RSA -keysize 2048 -validity 10000

----------------------------------------------------------------------------------------------------------------------------------------------

 When you have an application package that is ready to be signed, you can do sign it using the Jarsigner tool. Make sure that the keystore containing your private key is available.

To sign your application, you run Jarsigner, referencing both the application's .apk and the keystore containing the private key with which to sign the .apk. The table below shows the options you could use.

Jarsigner Option	Description
-keystore .keystore	The name of the keystore containing your private key.
-verbose	Enable verbose output.
-storepass	The password for the keystore. As a security precaution, do not include this option in your command line unless you are working at a secure computer. If not supplied, Jarsigner prompts you to enter the password. In this way, your password is not stored in your shell history.
-keypass	The password for the private key. As a security precaution, do not include this option in your command line unless you are working at a secure computer. If not supplied, Jarsigner prompts you to enter the password. In this way, your password is not stored in your shell history.

         Here's how you would use Jarsigner to sign an application package called my_application.apk, using     the example keystore created above.

$ jarsigner -verbose -keystore my-release-key.keystore
my_application.apk alias_name

Running the example command above, Jarsigner prompts you to provide passwords for the keystore and key. It then modifies the .apk in-place, meaning the .apk is now signed. Note that you can sign an .apk multiple times with different keys.    

     2.  Through Eclipse

Go to this link for more information: http://developer.android.com/guide/publishing/app-signing.html#setup

     3.   Using Key Store Explorer
           Go to this link for more information: http://www.lazgosoftware.com/kse/index.html


-----------------------------------------------------------------------------------------------------------------------------------------------
Hope you guys find this entry useful ! Have fun, guys !