jarsigner: unable to sign jar: java.util.zip.ZipException: invalid entry compressed size (expected 463 but got 465 bytes)

Question

when I am signing the apk, I get "jarsigner: unable to sign jar: java.util.zip.ZipException: invalid entry compressed size (expected 463 but got 465 bytes)" this error message. The apk size is almost 1MB. When I reduce the size to 500KB, signing success. Why this so?..Any Idea?

Answer 1

You are trying to sign an already signed .apk. You need to export an unsigned .apk file and then sign it with jarsigner.

Answer 2

You definitely are able to sign an already signed APK multiple times using different keys:

Note that you can sign an APK multiple times with different keys.

E.g. I accomplished signing a Debug-Apk with the release key so that I was able to test upgrades of released versions. Also, I was able to sign an already released APK with the debug key for reproducing bugs.

This is what you should do

1. Rename the .apk file to .zip
2. Unpack the .zip file and remove the META-INF folder
3. Zip the folder again and rename it to .apk
4. Sign the apk:

    jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 \
              -keystore my-release-key.keystore my_application.apk alias_name

For the debug key, the alias should be androiddebugkey and the password android. The debug keystore is per default $HOME/.android/debug.keystore. See also Sign your debug build.

Answer 3

This is the 1 Liner/1 Step version of @Joerg's answer above:

zip -d foo.apk META-INF/\*

That uses the built in "delete from existing archive" functionality of the zip command. When you run that command you should see:

deleting: META-INF/MANIFEST.MF
deleting: META-INF/CERT.SF
deleting: META-INF/CERT.RSA

...as the output. Those files are the existing signature. Removing them allows you to sign it again.

I would also like to reiterate that you should be sure to pass the -sigalg SHA1withRSA and -digestalg SHA1 arguments to the jarsigner to avoid this issue: https://code.google.com/p/android/issues/detail?id=19567

Answer 4

I encountered this when signing my .aab file. Removing the duplicate signing (once as part of the bundling, once manually) fixed it. This was part of the default react-native app scaffolding.

The app/build.gradle file includes a section android/buildTypes/release which had its signingConfig key set. When generating .apk files it seemed to be ignored but when switching to .aab format it looks like it did apply that signing. When I then did my own signing in CI, it complained because it was already signed.