All Android Applications Must Be Digitally Signed
All Android applications must be signed before they are allowed to be deployed onto a device (or emulator). Unlike other mobile platforms, you need not purchase digital certificates from a certificate authority (CA). Instead, you can generate your own personal certificate and use it to sign your Android applications.
|Figure 2. Signing Your App: All Android applications developed in Eclipse are signed using a default debug keystore.|
When you use Eclipse to develop your Android application and then press F11 to deploy it to an emulator, Eclipse automatically signs it for you. To verify this, first go to WindowsPreferences in Eclipse, then expand the Android item, and select Build (see Figure 3). Eclipse uses a default debug keystore (debug.keystore) to sign your application.
Signing an Application Manually
If you are publishing an Android application, you must sign it with your own certificate. Applications signed with the debug certificates cannot be published. To sign your application manually, you need to perform the following steps:
tool takes in the following options:
- -keystore: This is the name of the keystore containing your private key.
- -verbose: This enables verbose output.
The alias for the debug.keystore file is androiddebugkey. Figure 5 shows the application signed with the debug.keystore default keystore.
Figure 5. Signed with the Keystore: Signing the .apk file with debug.keystore.
Figure 6. Verified and Certified: Verifying that the application was signed correctly.
To verify that the application is signed correctly, you can use the –verify option with jarsigner.exe. You can also use the –certs option to view the details of the certificate used to sign the application (see Figure 6).