"Package not signed correctly" appearing for some users

Question

I have an app on Google Play for years that has seen countless updates. The latest update (the first one in a while) fails to install for some people, they simply get the "Package not signed correctly" error message.

It works for my Android devices I have at home. I'm building and signing with a custom build system that basically boils down to calling ant release, followed by

jarsigner -verbose -keystore $(keystore) -storepass $(storepass) $(appname).apk $(alias)
zipalign -v 4 $(appname).apk $(finalname).apk

That has worked for years, there were no changes to the build system or keystore, I don't know why it stopped working for some users.

I noticed that the documentation added the following caution:

As of JDK 7, the default signing algorithim [sic] has changed, requiring you to specify the signature and digest algorithims [sic] (-sigalg and -digestalg) when you sign an APK.

So I added -sigalg SHA1withDSA -digestalg SHA1, which produces an APK with a different size. I can try rolling that out, but I don't want to keep pushing out updates and annoy the users without knowing that I'm actually fixing something.

Why does this only fail for some people? How do I fix it? Is explicitly specifying -sigalg/-digestalg enough?

Answer 1

The problem is same as you said about jdk7. To overcome that there are lot of discussions over the same topic

Try this by adding

<presetdef name="signjar">
<signjar sigalg="MD5withRSA" digestalg="SHA1" />
</presetdef>

within your build.xml file

Note

The problem is after building a release version with ant release the apk could not be installed on physical device

This only happens with JDK 7 with JDK 1.6.25 all is fine!

It affects only a small percentage because for jarsign jdk7 need SHA1 digest algm, but not with the default algorithms, whatever they are. So device with some other algorithms as default will reject this and cause the problem.

The below are the algorithms used

By default, jarsigner signs a JAR file using one of the following:

DSA (Digital Signature Algorithm) with the SHA1 digest algorithm
RSA algorithm with the SHA256 digest algorithm.
EC (Elliptic Curve) cryptography algorithm with the SHA256 with ECDSA (Elliptic Curve Digital Signature Algorithm).

For more jar signing

Answer 2

Check this answer:

Published Android apk gives error “Package file was not signed correctly

The problem seems to be related with jdk7 so your fix could solve the problem (but I haven't experienced it myself!)

Answer 3

We can signed application using eclipse. Like:- Right-click your project in Eclipse > Chose Android Tool > Export Signed Application Package...

Android Application APK signing?

I hope this may help.Thanks!!