Some (but not all) users receive "Package file was not signed correctly" when downloading my app from Google Play

Question

I have submitted and published an app in the Google Play store. I did not receive any errors when I uploaded my binary. Now, I am receiving reports from some (not all) customers stating that they are getting the following error when installing our App:

"Package file was not signed correctly"

When I try to replicate this error myself (using a Nexus 7 reset to factory settings), however, everything goes smoothly.

This seems to be similar to the issue described in this question, but the accepted answer doesn't seem to apply in this case.

I have seen suggestions to use JDK 6 instead of JDK 7, but answers like this one lead me to believe that this solution is for situations where the keystore was created in an older version of Java. In addition, I am concerned about how resigning a new version with an older version of Java will affect our customers who haven't had problems with the initial installation.

1. Does it make sense that the version of JDK used for signing the app negatively affects only some customers? If it does, what factors might determine which devices the issue occurs on?
2. Would changing how I sign the binary (but not the certificate) have any negative impact on our ability to update the app for users who aren't currently having this issue
3. If the Java version I used to sign the APK isn't the issue, what else could cause an error like this?

Edit: All of the user's with this problem (or without it), are running Android 4.0 or later. The app does not support earlier versions of Android.

Answer 1

After a little reading around I'm going to take a stab, you need to specify the algorithm explicitly for the JDK7 jarsigner..

Add this to your project's build.xml file:

<presetdef name="signjar">
    <signjar sigalg="MD5withRSA" digestalg="SHA1" />
</presetdef>

After a bit more reading it appears that it is about the default algorithm used on the device for the digest, it does appear to vary from device to device with the common algorithm available on all devices being the one specified in the xml above. This is why it fails on some devices, other users have experienced the same thing eg: “Package not signed correctly” appearing for some users

This blog entry also contains some interesting information on apk signing: Android code signing

I am now quite confident that explicitly setting the android specified algorithm for signing will not affect your customers that have already installed and I expect it will resolve your problem for the other customers.