Manually signing Android apps (APKs)

13

Features on these Courses

Stats

15,390 visits, 20,858 views

Tools

Translations

This tutorial hasn't been translated.

License

This tutorial is licensed under CC BY 4.0. Please refer to the license text if you wish to reuse, share or remix the content contained within this tutorial.

Published on 6 Jun, 2018. Last updated 14 Feb, 2019

Android apps, stored in APK files, must be signed before they can be published. This verifies that you are the publisher and that they have not been tampered with since you uploaded it.

Construct 3 can build signed APKs for you. See the tutorial Building a signed APK for Android in Construct 3 for more information on that.

You may wish to manually sign an APK if you need to work offline, or if for whatever reason you don't trust the build service to do this for you. (Although we have gone to lengths to ensure our build service is secure, signing an APK manually ensures your keystore never leaves your device.) Manually signing an APK involves using command-line developer tools, so is generally only appropriate for advanced users.

To get an unsigned release APK ready to sign yourself, see the tutorial Building Android apps (APKs) in Construct 3, and use the Unsigned release APK option.

Signing a release APK

Release APKs are intended for publishing to the Google Play store. Before you can publish it, you must align it (to optimise it) then sign it (to securely verify you as the author). You can't run a release APK on your device until it is signed. Depending on the device you may also need to enable developer mode, or enable permission to install apps from unknown sources, before you can install the release APK. This is because it doesn't come directly from the Google Play Store. (Installing an APK manually is also known as side-loading.)

Tips on using command lines

You'll need to run some programs from the command line to follow these steps. On macOS and Linux it's referred to as the Terminal. Older versions of Windows use the Command prompt, but in the latest versions of Windows 10 it's been replaced with Powershell. Normally you can just search for these names as an app and run it. Many systems have shortcuts to open them as well, such as holding Shift and right-clicking in a folder on Windows. Here are some more tips to help you follow these steps:

  • The command line has a current directory, which is always displayed. This is where files are written to and read from by default, if you use a relative name like file.txt in a command.
  • A command to run a program is the filename of the program followed by any options (called arguments in a command line).
  • Usually if a path has a space in it, e.g. C:\Program Files, it must be surrounded in double quotes to work correctly, e.g. "C:\Program Files".
  • In Windows PowerShell, if the path to the program itself has a space in it, prefix it with &. For example if you get an error trying to run "C:\Program Files\tool.exe", try running & "C:\Program Files\tool.exe" instead.

Installation

You'll need to install two pieces of software for signing APKs:

  1. JDK (Java Development Kit), which contains the keytool utility
  2. Android Studio, which contains the Android development tools

You'll also need to take a note of the installation directories. For example on a Windows system, the tools we'll need will be in paths similar to these (but note particulars of version numbers and usernames may be different):

  • C:\Program Files\Java\jdk1.8.0_121\bin for keytool
  • C:\Users\YourUserName\AppData\Local\Android\sdk\build-tools\26.0.2 for zipalign and apksigner

In the following steps, we'll shorten the full paths to path\to\jdk and path\to\android\build-tools for brevity. When you see these, you'll need to replace them with the full paths. Don't forget to surround them in double-quotes if they contain a space, and in PowerShell, if you use double quotes also prefix it with &.

Create a key

You also need to create a private key to sign the APK with. You'll also need to create a password for the key. Both the password and the key file must be kept a secret for your app to be secure. Take a note of the password somewhere safe, since you'll need it later, as well as any time you sign an APK in future with the same key.

First create a new empty folder to hold all our signing related files in. Then make sure the command line has that set as its current directory. Normally you can do this with the cd command, e.g.:

cd path\to\folder

To create a key, run the following keytool command:

path\to\jdk\keytool -genkey -v -keystore release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias

You will then be prompted to enter a password for the key, and to confirm it. Take note of this password in a safe place, you'll need it later!

You'll also be asked for information about the publisher of the app, including your name, the name of your organizational unit, the name of your organization, your city or locality, your state or province, and the two-letter country code. These are optional, you can simply press return without entering anything to skip a field. At the end it will ask you to confirm - simply enter y to accept.

You'll also be asked to enter a key password - just press return to make it the same as the previous password. Once completed, you should get a file named release-key.jks in your folder.

Aligning

Copy your unsigned release APK to the same folder as your release key. For simplicity following these commands, rename it to app.apk. It needs to be aligned, which is an optimisation. This is done with a tool named zipalign. Use the following command to do this.

path\to\android\build-tools\zipalign -v -p 4 app.apk aligned.apk

This creates a new file named aligned.apk in the folder. This is an aligned, but still unsigned, APK file to use for the next step.

Signing

Now you need to use the release key you created earlier to sign the APK. This is a way of securely proving that you are the author of the app and that it hasn't been tampered with.

The APK is signed with a tool named apksigner. Use the following command:

path\to\android\build-tools\apksigner sign --ks release-key.jks --out signed.apk aligned.apk

You'll need to enter the password you created with your release key earlier. Once completed, you should have a signed release APK in your folder named signed.apk!

You can verify the signing was successful by running:

path\to\android\build-tools\apksigner verify signed.apk

There shouldn't be any errors listed when you run that command. If it says nothing, it's OK.

At this point you'll probably want to rename signed.apk to something more useful, e.g. mygame-release-signed.apk.

Example

The following commands were used on a Windows 10 PC with a PowerShell prompt. Note that you cannot use these commands directly yourself! They include things like usernames in the path, and specific version numbers. They are provided as an example to help you follow the previous steps.

Creating a release key: (note this command involves a path with a space, so it was wrapped in quotes, and & added so PowerShell understands it)

& "C:\Program Files\Java\jdk1.8.0_121\bin\keytool" -genkey -v -keystore release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias

Aligning APK:

C:\Users\Ashley\AppData\Local\Android\sdk\build-tools\26.0.2\zipalign -v -p 4 app.apk aligned.apk

Signing APK:

C:\Users\Ashley\AppData\Local\Android\sdk\build-tools\26.0.2\apksigner sign --ks release-key.jks --out signed.apk aligned.apk

Verifying APK:

C:\Users\Ashley\AppData\Local\Android\sdk\build-tools\26.0.2\apksigner verify signed.apk

Tips

Typically most of the work here is one-off setup. Once you have followed these steps once, it's much quicker to sign another APK: you can jump straight to the Aligning section and use the same release key.

You might want to create a small script to run these commands automatically, which will help make the process quicker.

You can also test release APKs on your device once they're signed - see the section Transfer the APK to your device in the tutorial Building Android apps (APKs) in Construct 3.

Publishing

You can now upload the signed APK to the Google Play Console. You'll need to register a Google Play Developer account if you don't have one already, which may also involve a fee.

From here onwards you're using Google's services, so it's best to refer to their official documentation. Take a look at the Google Play Console Help Center for further guidance.

  • 0 Comments

Want to leave a comment? Login or Register an account!