APK should be in projectfolder\platforms\android\app\build\outputs\apk\release. When building with crosswalk the APK's are there platform specific folders.
What is a keystore
A keystore file is a file that contains the key(s) to sign your app(s). One keystore file can contain different key’s for different app’s. This key’s are unique. Updates need to have the same key as the apk in the playstore. So if you lose your keys, you can not update your apps.
You can sign all your apps with the same key. But I would advice to use a different keys for each app. All your keys can be stored in the same keystore file.
For generating the keystore we gone use the JAVA command 'keytool'.
You can generate the keystore file anywere on your computer (aka. In your JAVA\Bin folder), and copy it around later. Or just add an absolute path to it in the command. But since I added java to the path, I did it in the folder the release APK is in. This makes the following steps easier.
Brief overview parameters needed:
-genkey : or -genkeypair. generate a key pair
-v : verbose output
-keystore MyKeyStore.keystore : store in keystore with given name
-alias AliasOfYourApp : alias of the app you wanna sign e.g. myapp
-keyalg RSA : Algorithm name
-keysize 2048 : Size of the key
-validity : Number of days the key is valid. Must be valid for the whole lifespan of your app. Or ar least as long as you wanna be able to update.
The keytool will ask the following questions:
1. Enter keystore password: Strong Password to protect the keystore file
2. What is your first and last name?:
3. What is the name of your organizational unit?
4. What is the name of your organization?
5. What is the name of your City or Locality?
6. What is the name of your State or Province?
7. What is the two-letter country code for this unit?
8. Enter key password for <Your_App_Name>: Strong Password to protect the key
I answered question 2 and 4 with the same values as i gave in the playstore. Is that necessary or not?
I found it a good idea to write down the answers of the questions before generating the keystore.
Generating a keystore
Open the command promt (and go to projectfolder\platforms\android\app\build\outputs\apk\release) and type:
keytool -genkey -v -keystore MyKeyStore.keystore -alias AliasOfYourApp -keyalg RSA -keysize 2048 -validity 10000
On succes you will have a file called MyKeyStore.keystore in the folder you performed the command. Be careful with it. You need it every time you wanna update your app.
Adding a key for another app goes the same way. With a different alias off course.
If you wanna check which app alias - key combinations are in the keystore:
keytool -list -v -keystore MyKeyStore.keystore
Signing your APK
Make sure your release.APK and keystore file are in the same folder. Open the command promt and go to that folder. Jarsigner will ask for your keystore and app-key password.
MyKeyStore.keystore is your keystore file as you named it with the keytool
app-release-unsigned.apk is your apk as cordova named it
AliasOfYourApp is the Alias you used with the keytool
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore MyKeyStore.keystore app-release-unsigned.apk AliasOfYourApp
On succes you will have a signed apk, that is still called app.release-unsigned.apk, do not rename it.
The keystore file and unsigned apk file can be in different folders, but then you have to include the paths to them in the command.
As given, the jarsigner command gives a warning:
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2045-08-19) or after any future revocation date.
Why? We signed the APK at a certain date. The jarsigner looks at the PC date and uses that. But that is not a proven date. But with a validity of 10.000 day’s after creating your key, I feel this is not going to be a problem. You seem to get rid of this warning by adding -tsa http://timestamp.digicert.com to the command. Where the URL is an example of a proven source for a timestamp. For more information see:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/time-of-signing.html
Aligning apk name with new status
If you added the folder with the android\sdk\build-tools to your path as suggested above you can keep your command promt open and type:
zipalign -v 4 app-release-unsigned.apk MyAppName.apk
On succes you have 2 APK’s: app-release-unsigned.apk and MyAppName.apk. The last one is the one you can upload to the playstore.
When you build for crosswalk, and you got 5 APK's you have to sign every APK you wanna upload to the playstore with the same keys.