Morioh
Login
Fredy Larson

Fredy Larson

3 years ago

Let me just say this upfront.

Code signing is so boring it makes my teeth ache. It is a concept that exists with a good reason. I mean, you want people to be sure that your software package is actually from you, right?! And yet, it’s something that so many developers struggle to get right on daily basis. It’s like doing your taxes after a full year of working and having so many forms to fill outYippee.

Code signing is like doing your taxes after a full year of working and having so many forms to fill out. Codemagic has a great step-by-step guide to simplify your life

CLICK TO TWEET

Scroll down if you just want to see the step-by-step guide on Android code signing and are not interested in why we do this😉

Why we code sign

We sign our packages so people who download our package from the Play Store actually know it’s us. We do this by signing our package with a key that we generate. When we upload our signed package to Google Play, it remembers the key that was used to upload the initial package and makes sure subsequent packages are signed with the same key.

To achieve this goal, Android package signing actually takes advantage of a tool that comes from the Java Development Framework called keytool. Keytool has been around for probably as long as the JDK itself, so it’s pretty old. This lends itself to probably some of the reasons why signing an APK or AAB (android app bundle) is as confusing as it is.

Why can’t the Play Store just handle code signing for us?

We’d be tempted to ask for a nirvana where we could just give all our unsigned app bundles to the Play Store and just have them work it out and just sign it for us. The logic of that quickly breaks down though. If you wrote a book, would you get someone else to sign it? No. You’d sign it because you are the author.

These days code signing is a lot easier than what it used to be. As long as we always sign our packages with the same key (the “upload key”), Google Play will actually generate and manage our code signing keys for us.

If you are particularly enterprising, you can attempt to read and understand everything here, but I’ve been developing for Android for the better part of three years now and I’m sad to say that even I don’t understand it completely. All I know is that when it breaks, it is a huge pain to fix.

Let’s take the time to understand not only how to code sign but also why we code sign. When we understand the necessity of this process, it will make it easier to complete.

What we need for code signing?

The short version is here. For code signing we need:

  • create the Java Development Kit (JDK) file;
  • to sign our app bundle or APK with our private key;
  • modify the build.gradle;
  • send package to the distributor (Google Play).

In the end of this article you will also find how to make code signing work with Codemagic.

Now a bit longer version with step-by-step guide on what we need for Android code signing and how to do it.

Step-by-step guide for Android code signing

STEP 1: The Java Development Kit (JDK)

If you are developing for Android, you probably already have these installed.

We need to create a Java Key Store (JKS) file that contains our signing information. In generating a JKS for our app, we’re actually creating a private key on our computer. This private key is protected by a password that we set.

From a command prompt, we can type the following to get a JKS.

keytool -genkey -v -keystore %DESKTOP%/key.jks -storetype JKS -keyalg RSA -keysize 2048 -validity 10000 -alias DEVELOPERNAME

We’re telling keytool to generate a Java Key Store and put it in our desktop. This key will be valid for 10,000 days or roughly 27 years, allowing us to push updates for the lifetime of our app. We’re also required to set an alias. I just make this my developer name or something I will remember.

keytool will prompt for various pieces of information along the way. It’s important to specify these correctly as we are essentially defining the details for our private key.

You’ll be prompted for:

  • Keystore password – you’ll need this to unlock this keystore again in the future. If you lose this password, it is pretty much impossible to recover it.
  • Re-enter keystore password
  • Personal details about what to put in the personal certificate

We will be prompted to fill out some details about us. These are the details that are associated to our private key, so they should be somewhat relevant. It’s up to you what you put in these fields, but as a rule of thumb, I wouldn’t make it too crazy.

This is keytool’s output.

C:\code\signingtest\android\app>keytool -genkey -v -keystore key.jks -storetype JKS -keyalg RSA -keysize 2048 -validity 10000 -alias androidapps

Enter keystore password:

Re-enter new password:

What is your first and last name?

[Unknown]:  Codemagic Article Dude

What is the name of your organizational unit?

[Unknown]:  Fantastic Apps And Where To Find Them

What is the name of your organization?

[Unknown]:  Greatapps

What is the name of your City or Locality?

[Unknown]:  Estonia

What is the name of your State or Province?

[Unknown]:  Tartu

What is the two-letter country code for this unit?

[Unknown]:  EE

Is CN=Codemagic Article Dude, OU=Fantastic Apps And Where To Find Them, O=Greatapps, L=Estonia, ST=Tartu, C=ES correct?

[no]:

#android

Step-by-step guide to Android code signing and code signing with Codemagic

blog.codemagic.io

Step-by-step guide to Android code signing and code signing with Codemagic

Everything from WHY we code sign all the way to WHAT we need for Android code signing.

1.50 GEEK