"Package file was not signed correctly" error -- detect whether or not it will happen with Google Play app apk

Question

I am having problems with the error described in the questions below:

Published Android apk gives error "Package file was not signed correctly"
Some (but not all) users receive "Package file was not signed correctly" when downloading my app from Google Play

Specifically, when some users try to download my Google Play app, they get the error, others don't.

My question is: how to detect before submission whether the problem is going to occur or not?

For what it's worth, when I run

jarsigner -verify -verbose -certs myapk.apk

I see something like the following:

86226 Sun Nov 09 10:34:54 EET 2014 META-INF/MANIFEST.MF X.509, //[personal stuff omitted] [certificate is valid from 8/20/14 8:04 AM to 1/5/42 7:04 AM] [CertPath not validated: Path does not chain with any of the trust anchors] // several hundred entries like the above, and then: jar verified.

Warning: This jar contains entries whose certificate chain is not validated. This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2042-01-05) or after any future revocation date.

Answer 1

Actually this is a common problem and i guess you must be using Java 7 or later.

Solution

Run jarsigner:

jarsigner -verbose -verify -keystore ${KEYSTORE_PATH} ${YOU_JAR_FILE}

have a look here

Answer 2

Not actually a test to see if the apk is signed propably, but I feel this is usefull:

I got this problem a while ago, my solution: sign by hand.
Here is the script:

#!/bin/bash
storepass="your store pass"
keypass="your key pass"
alias="alias"
if [ $# -lt 1 ]; then
    echo "$0 <apk file>"
    exit 1;
fi

filename=$(basename "$1")
extension="${filename##*.}"
filename="${filename%.*}"


if [ $extension != "apk" ]; then
    echo "Inputfile is no apk!"
    exit 1;
fi

cp $filename.apk $filename-tmp.apk
zip -d $filename-tmp.apk "META-INF*"
rm -rf $filename-signed.apk
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore $keystore -storepass $storepass -keypass $keypass $filename-tmp.apk $alias
/Developer/android-sdk-macosx/build-tools/20.0.0/zipalign -f -v 4 $filename-tmp.apk $filename-signed.apk
rm -rf $filename-tmp.apk

You might need to update for your settings. I have tested it with Multiple devices (Galaxy Note 10.5, Samsung Galaxy S3, S5, Nexus 4, Lenovo Tab)
Seems to work so far.

(Signed on Mac OSX)

Answer 3

cordova build android --release

Before make sure to configure it: Create an ant.properties file in platforms/android/ with a keystore path and alias name:

key.store=/path/to/keystore/release_key_name.keystore key.alias=alias_name

You will be prompt for the password.

The APK will be created at platforms/android/ant-build/app_name-release.apk.

Source http://ilee.co.uk/Sign-Releases-with-Cordova-Android/