Recently, when I was about to sign my APK to be published to the Play Store, I got this new option:
Pressing on the "Signature help" link, opened this webpage: https://developer.android.com/about/versions/nougat/android-7.0.html#apk_signature_v2
Searching more, I've found this:
http://android-developers.blogspot.co.il/2016/11/understanding-apk-packaging-in-android-studio-2-2.html
It turns out that it's a new verification on Android 7.x, which can help make the APK more secure, yet also a bit smaller in size.
I tried using this new feature, and as was written on the blog, it does make the APK a bit smaller. Also, as it was written, it's meant only on Android 7.x and above (yet you can actually sign using both methods on the same APK, letting you install the app on older versions of Android too).
I don't understand if it's safe to use the new signing mechanism, and what exactly they warn about on the docs.
There is at least one warning I've read that I don't think needs special care for most develoeprs:
Caution: If you sign your app using APK Signature Scheme v2 and make further changes to the app, the app's signature is invalidated. For this reason, use tools such as zipalign before signing your app using APK Signature Scheme v2, not after.
I think I can ignore this warning, because I just let the IDE itself build the APK using the default build behavior.
I tried using all 3 ways to sign the app:
It seems that v2 alone cannot be installed on pre-7.x versions of Android, yet the rest can, and it also seems that v2 is smaller than v1, while v1&v2 is a really tiny bit larger than v1 .
Is it safe to switch from the old signing to the new one (Enabling both signing of course) ?
Will users have any issues upgrading? Will users upgrading from v1 to v2, or from v2 (or v1&v2) to v1 (in case something went wrong) - have any issues?
Should I know about any warnings? Was I right that I can ignore the warning I've mentioned?
Aside from better security, what does signing using v1&v2 (together) provide, that I don't have on v1 ?
My guess is that only from Android 7, we will be able to use just v2, which provides a way for having smaller APKs. Is it true?
APK Signature Scheme v2 is a whole-file signature scheme that increases verification speed and strengthens integrity guarantees by detecting any changes to the protected parts of the APK.
Application signing ensures that one application cannot access any other application except through well-defined IPC. When an application (APK file) is installed onto an Android device, the Package Manager verifies that the APK has been properly signed with the certificate included in that APK.
- Is it safe to switch from the old signing to the new one (Enabling both signing of course) ?
Yes. As long as you don't modify the APK after signing, you're good.
- Will users have any issues upgrading? Will users upgrading from v1 to v2, or from v2 (or v1&v2) to v1 (in case something went wrong) - have any issues?
No issues. Once the Android Package Manager verifies an APK signature (using v1 or v2 scheme), it extracts the signing cert(s) and then bases any further logic (e.g., is this APK permitted to be used as an update to the old one) only on the signing cert(s). Thus, as long as your APK is signed using the same signing cert(s), you should be good.
- Should I know about any warnings? Was I right that I can ignore the warning I've mentioned?
You can ignore that particular warning if you use just the Android Plugin for Gradle / Android Studio to build & sign your APKs. The warning is there for developers which use custom build pipelines which might modify APKs after signing.
I'm not aware of any other warnings.
- Aside from better security, what does signing using v1&v2 (together) provide, that I don't have on v1 ?
v2 signature verifies much faster. This means v2-signed APKs install/update a bit faster on Android Nougat (Android 7.0, API Level 24) and newer.
- My guess is that only from Android 7, we will be able to use just v2, which provides a way for having smaller APKs. Is it true?
Correct. However, APK size saving was never a goal of APK Signature Scheme v2. The saving is just a small figure proportional to the number of files in the APK, not to their size. What you save on are the per-file digests in META-INF/MANIFEST.MF
and META-INF/*.SF
. The META-INF/*.(RSA|DSA|EC)
is replaced by the similar-sized APK Signature Scheme v2 Block elsewhere in the APK.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With