Android Keystore

Your app is ready and you want to get it to your clients. In order to do so, you need to sign your app: for Android this is done using keystores.

Introduction to keystores

Keystores are files containing security certificates and are primarily used to sign Android APK files. Usually you'll manage a single keystore that is used for your app in production. There is also a debug keystore that is generated by the Android SDK. You can check its location:

ls $HOME/.android/debug.keystore

If the keystore doesn't exist, check that you have installed the Android SDK.

Keystores can be password protected: you'll be prompted for the password when you sign your app.

Create a release keystore

keytool -genkey -v -keystore my-release-key.keystore
-alias alias_name -keyalg RSA -keysize 2048 -validity 10000

Replace my-release-key.keystore with the name you want for your keystore, for example my-awesome-todo-app.keystore.

You'll be asked for you for passwords for the keystore and key. You can enter the same password for both.

Signing your app

Once you have your keystore, you can sign your app with it. Signing is needed to allow Google and Android to check that the APK have been generated by the proper developer. For example, even if an user install a malicious APK downloaded from the internet with the same package name as the Facebook application, Android will refuse to install it as the signing identities are different.

Start by compiling your app in release mode, then locate the apk that was generated. Sign this apk:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1
-keystore my-release-key.keystore my_application.apk alias_name

Your apk is now signed. A good practice, which is enforced anyway by the Play Store, is to also launch a tool to optimize the alignment of memory of the app:

zipalign -v 4 my_application.apk my_application-aligned.apk

You're done! You can send this APK to the Google Play store.

Be cautious about your keystore

Keystore must be saved and never lost: if you lose a keystore, you won't be able to sign your app and release new versions on the Google Play store. In the same way, anyone that gets access to the keystore (and its password) can use it to sign its own application as it if were your app.

It's a good idea to never put the keystore in your git repository. You can do this by adding to your .gitignore:

*.keystore