Android Development: Keytool, creating a keystore?

Question

I am trying to prepare my app for the google market, but it is proving a lot more challenging than expected. I cannot seem to grasp the whole concept of signing the app, but to be more specific my problem is that I have installed the keytool plugin for eclipse, but when I want to create a certificate it asks me to select a keystore (Enter the filename and keystore password), I don't understand what I am supposed to enter as a file, because it actually wants me to select the file through browse and how do I proceed with the exporting of the file, Google has sadly not come up with very good or clear answers

Answer 1

You need to provide location and filename for your new keystore file in case you are creating a new one. Alternatively, you could choose "use existing keystore" and browse to existing keystore file location.

Edit: I thought I would provide elaborate answer. Hope this info would be useful.

What is signature and why it is needed.

The apk signature mechanism used by android is an example usage of digital signature applied to bytecode and resources of the application to ensure :

• integrity (no tampering with your app after downloading)
• authenticity - You are the one who released the app to GooglePlay

To better understand digital signature I suggest you also skim through public-key cryptography.

How does that work.

Android uses same standard JDK tools used for signature/verification of standard java apps:

• jarsigner - signs data with provided private key, and verifies data with certificate (i.e. public key bound to your identity)
• keytool - manages private keys and certificates in your keystore. Those keys are needed for jarsigner.

After you sign your application manually with jarsigner or export signed application using your IDE (which uses keytool and jarsigner under the hood anyway), you can then locate signature-related files placed in META-INF directory of your signed .apk archive :

• CERT.SF - file containing SHA hashes of your app components and
• CERT.RSA (or .DSA) - digital signature of above mentioned file + public certificate to verify this signature. You can read more details about how singing works here.

How to properly sign application for release.

This article very well describes steps you need to follow.

Note: Please consider important pre-release steps before you proceed with signing : logs/ critical string literals removal, obfuscation with proguard, etc.

Below I will provide some key points for the process :

Generate your private key and put it in java keystore.

This may require creating keystore first if you don't have one. When creating keystore you need to create Keystore password, that is used to ensure integrity of keystore data (i.e. you will be warned that your keystore is tampered with after someone - not you -has added new certificate to it). Practically, this password is not super crucial if you keep your keystore file safe. You can get away if you forget it some day.

When generating private key, you will be also asked to create PrivateKey password that will be used to encrypt your private key inside the keystore. This is the very important password you need to keep as it ensures

• your private key is really private. and most importantly
• without this password you won't be able to use you private key to sign and release future updates for your application;
  

When you generate your new private key in Eclipse, you will also be asked to provide identity information that is used to create your self-signed certificate.

As the next step your private key from specified keystore file will be used to sign the application and your .apk will be updated with signature-related files explained above.

Some important terminology :

Keystore is simply a single binary file keeping list of your private keys / certificates in a specific format. It is programmatically accessible using API provided by KeyStore.java. Your keystore can contain multiple private key entries, each identified by its alias.
In majority of cases your keystore will have single private key with single self-signed certificate matching this private key.

Keystore password is used for integrity check of the keystore content.
If you loose this password, but you still have password for private key stored inside, you can "clone" your keystore and provide new keystore password by running the following cmd:

keytool -importkeystore -srckeystore path/to/keystore/with/forgotten/pw -destkeystore path/to/my/new/keystore

provide new password, and leave old keystore password blank - you will only get warning. You can then use your new keystore and get rid of old one.
There are other ways you can retrieve your private key without using keystore password.

Private key password - protects(by encrypting) private key inside keystore. It is extremely important as it allows you to access your private key to, among other things, sign updates for your application. It is generally very hard to recover it.

Self-signed ceritificate - very simple certificate binding your identity(name/organization/email) to your public key. This certificate is added to .apk file during signing operation and will be used on user's device to verify .apk before installation.