Signing Android Applications

In order to install an app on an Adroid device or on an Adroid emulator the app’s package must be signed.

App Adroid Directory

I like to create a subdirectory named android in my Eclipse workspace’s directory to hold the files needed to build my Android app. Let’s say that my Eclipse workspace directory is

H:\my-android-app

I would create the subdirectory

H:\my-android-app\android

to hold these files.

Debug Certificate

Eclipse automatically generates a certificate that can be used to sign a debug version of an app. This file is called debug.keystore and is usually stored in the .android subdirectory of your home directory (you can use Eclipse’s Preferences page, under Android → Build, to get the directory name being used).

Each time you install Eclipse with the ADT plugin you will get a new debug certificate. Since you may work on your app code from different computers and since different people may work on the code base, it is a good idea to copy one of these certificate files into your app’s project so that every person/computer uses the same certificate for signing. Copy the debug.keystore file to the app’s android subdirectory (see above).

Lastly, each developer must point their Eclipse ADT settings to this directory. Go back to Eclipse’s Preferences page, then to the Android → Build section, and browse to this new debug.keystore file and set it as the custom debug keystore.

Release Certificate

Presumably you will want to eventually release your app to the Android market (or use some other distribution mechanism) so that users can install your app. You will need a self-signed “release” certificate to do this since the debug certificate cannot be used to sign an app that will be installed on user devices. The first step is to create the keystore to hold this certificate. Just set your default directory to the app’s android directory and enter this command:

keytool -genkey -v -keystore release.keystore -alias <app-name> -storepass <store-pwd> -keypass <key-pwd> -keyalg RSA -validity 18000

What is your first and last name?

What is the name of your organizational unit?

What is the name of your organization?

What is the name of your City or Locality?

What is the name of your State or Province?

What is the two-letter country code for this unit?

Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 18,000 days

for: CN=doten.biz, OU=Software Development, O=doten design & development, L=Dunbarton, ST=NH, C=US

[Storing release.keystore]

Notice I specified that the certificate will be good for about 50 years (18,000 days); this is with common Android practices. You will also need to supply the organizational information shown. And of course substitute your application name, store password, and key password in the appropriate places. You now have a self-signed release.keystore certificate file you can use to sign your app with just prior to releasing it into the wild. Protect this file and its passwords; this is what uniquely identifies your app to Android and you cannot upgrade your app without this certificate.

MD5 Fingerprints

Various tools require the MD5 fingerprint associated with a certificate. To obtain an MD5 fingerprint, use this command:

keytool -list -alias <app-name> -keystore release.keystore -storepass <store-pwd> -keypass <key-pwd>

<app-name>, Mar 31, 2010, PrivateKeyEntry,

Certificate fingerprint (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Note that the auto-generated debug.keystore certificate has an alias of androiddebugkey, a store password of android, and a key password of android. So to obtain the MD5 fingerprint for the debug certificate, use this command:

keytool -list -alias androiddebugkey -keystore debug.keystore -storepass android -keypass android

You can now use these fingerprints to obtain Android Maps API debug and release keys for your application. Or for any other purpose you might need the public keys.