"The security strength of SHA-1 digest algorithm is not sufficient for this key size" while rebuilding on Android Studio

Question

I am facing this problem while building the project. Below is the stacktrace. I created a new keystore file for release key but didn't work.

Caused by: java.io.IOException: Failed to generate v1 signature
at com.android.tools.build.apkzlib.sign.SigningExtension.onOutputZipReadyForUpdate(SigningExtension.java:292)
at com.android.tools.build.apkzlib.sign.SigningExtension.access$200(SigningExtension.java:53)
at com.android.tools.build.apkzlib.sign.SigningExtension$1.lambda$beforeUpdate$2(SigningExtension.java:171)
at com.android.tools.build.apkzlib.zip.ZFile.notify(ZFile.java:2154)
at com.android.tools.build.apkzlib.zip.ZFile.update(ZFile.java:923)
at com.android.tools.build.apkzlib.zip.ZFile.close(ZFile.java:1207)
at com.android.tools.build.apkzlib.zfile.ApkZFileCreator.close(ApkZFileCreator.java:174)
at com.google.common.io.Closer.close(Closer.java:216)
at com.android.builder.internal.packaging.IncrementalPackager.close(IncrementalPackager.java:332)
at com.android.build.gradle.tasks.PackageAndroidArtifact.doTask(PackageAndroidArtifact.java:704)
at com.android.build.gradle.tasks.PackageAndroidArtifact.splitFullAction(PackageAndroidArtifact.java:515)
at com.android.build.gradle.tasks.PackageAndroidArtifact.lambda$doFullTaskAction$3(PackageAndroidArtifact.java:396)
at com.android.build.gradle.internal.scope.BuildElements$ExecutorBasedScheduler$transform$$inlined$forEach$lambda$1.call(BuildElements.kt:121)
at com.android.build.gradle.internal.scope.BuildElements$ExecutorBasedScheduler$transform$$inlined$forEach$lambda$1.call(BuildElements.kt:110)
at java.util.concurrent.ForkJoinTask$AdaptedCallable.exec(ForkJoinTask.java:1424)
at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056)
at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692)
at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:157)
Caused by: java.security.InvalidKeyException: Failed to sign using signer "CERT"
at com.android.apksig.internal.apk.v1.V1SchemeSigner.signManifest(V1SchemeSigner.java:295)
at com.android.apksig.internal.apk.v1.V1SchemeSigner.sign(V1SchemeSigner.java:256)
at com.android.apksig.DefaultApkSignerEngine.outputJarEntries(DefaultApkSignerEngine.java:424)
at com.android.tools.build.apkzlib.sign.SigningExtension.onOutputZipReadyForUpdate(SigningExtension.java:290)
... 18 more
Caused by: java.security.InvalidKeyException: Failed to sign using SHA1withDSA
at com.android.apksig.internal.apk.v1.V1SchemeSigner.generateSignatureBlock(V1SchemeSigner.java:519)
at com.android.apksig.internal.apk.v1.V1SchemeSigner.signManifest(V1SchemeSigner.java:293)
... 21 more
Caused by: java.security.InvalidKeyException: The security strength of SHA-1 digest algorithm is not sufficient for this key size
at sun.security.provider.DSA.checkKey(DSA.java:104)
at sun.security.provider.DSA.engineInitSign(DSA.java:136)
at java.security.Signature$Delegate.init(Signature.java:1152)
at java.security.Signature$Delegate.chooseProvider(Signature.java:1112)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1176)
at java.security.Signature.initSign(Signature.java:527)
at com.android.apksig.internal.apk.v1.V1SchemeSigner.generateSignatureBlock(V1SchemeSigner.java:515)

Followed other questions on the forum but nothing worked. Please help. Android Studio Version - 3.2.1

Edit- Changing the minSdkVersion from 18 to 21 fixed the issue. But not able to figure out the real reason behind this.

Answer 1

The error message means, that the key likely has 1024 bits strength, because it had been generated with any JDK version before JDK 8u151 - while at least 2048 bits key-strength are being expected:

The security strength of SHA-1 digest algorithm is not sufficient for this key size.

The reason behind this is, that the default key-size had changed from 1024 to 2048 bits with JDK 8u151. This change can also be found in the JRE/JDK crypto roadmap at datecode 2017-10-17:

Upgraded the jarsigner and keytool ‑sigalg default to SHA256withDSA and the ‑keysize default to 2048 for DSA keys.

The "Reverting Instructions" would be (which do not really apply for signage with Android Studio):

To use a different algorithm and/or smaller key size use the ‑sigalg and ‑keysize options of keytool and jarsigner to override the current defaults. Before this change the default values were SHA1withDSA and 1024 bits.

For an APK, it is recommend to use the apksigner instead of the jarsigner - and there meanwhile is a APK Signature Scheme v3 (these are backwards compatible - therefore it is save not to use v1).

Generating a new key with at least 2048 bits strength should permit the v1 (jar) signing. Downgrading the JDK would also be a feasible workaround (while I'd rather not suggest that).

If you've already published this key to Google Play, the best option available might be trying to migrate to Google Play App Signing (the release key would be downgraded to an upload key).

---

The bottom line is, that most likely your system-wide installed version of the JDK is much older than the OpenJDK bundled with the current version of Android Studio - and so you can generate as many new keys as you want, but they won't meet the minimum security requirements. Updating the system-wide installed version of the JDK should enable you to generate keys with sufficient strength; run java -version, to see what you are even using to generate keys with an insufficient strength.

or simply use the ... /android-studio/jre/jre/bin/keytool to generate them.

Answer 2

Generating the keystore with keysize length 2048 worked for me.

keytool -genkey -v -keystore ~/.android/debug.keystore -storepass android -alias androiddebugkey -keypass android -keyalg RSA -keysize 2048 -validity 10000