How to sign and secure your .apk for Google Play

Quick overview on how to sign and secure your .apk for Google Play on a Windows machine. I also show a neat tool to zip align your .apk file as well.

Step 1 – OpenSSL

OpenSSL is an open-source implementation of the SSL and TLS protocols. OpenSSL can be used to create your own Self Signed SSL certificates.
You can download latest OpenSSL here: https://www.openssl.org/ or version 0.9 here: http://files.pulsarmedia.ca/google/openssl-0.9.8k_X64.zip

a) Create a private key with a password.

Type the command:
[cc]
OpenSSL> genrsa -des3 -out my.key 1024
[/cc]
It will ask for a pass phrase. Enter a passphrase to continue. If you need 2048 bit encryption replace 1024 with 2048. The key is created as my.key in the openssl/bin folder. You may use your prefered name for the key.

b) Create a CSR which is Certificate Signing Request.

Enter the command to create CSR:
[cc]
OpenSSL> req -new -key my.key -out request.csr
[/cc]
You might get an error saying: “unable to load config info from /usr/local/ssl/openssl.cnf windows ”. It’s becasue it can’t open config. So in this case you need to specify the absolute path to the config:
[cc]
OpenSSL> req -new -key my.key -out request.csr -config D:\Programs\OpenSSL\openssl.cnf
[/cc]

Enter the details required and finally you will find a .csr file in your directory.

Note: The “challenge password” requested as part of the CSR generation is not the same thing as a passphrase used to encrypt the secret key. The “challenge password” is basically a shared-secret nonce between you and the SSL issuer, embedded in the CSR, which the issuer may use to authenticate you should that ever be needed. Should you choose to enter and use a challenge password, you will need to make sure that you save that password in a secure place. If you ever need to reinstall your certificate for any reason, you will be required to enter that password. Read more: http://serverfault.com/questions/266232/what-is-a-challenge-password

c) Sign your certificate.

Enter the following command:
[cc]
OpenSSL> x509 -req -days 9999 -in request.csr -signkey my.key -out certificate.pem
[/cc]

Here 9999 is the number of days the certificate is valid for. It should be minimum 25 years.

d) Creating pk8x

pk8 is a file which contains the private key which can be useful when signing Android APK using SignAPK. Use the command to create pk8 file from PEM file

[cc]
OpenSSL> pkcs8 -topk8 -outform DER -in my.key -inform PEM -out key.pk8 -nocrypt
[/cc]

Reference: http://www.learn2crack.com/2014/02/create-ssl-certificate-openssl.html

Step 2 – SignAPK

You can download SignAPK.rar here:
http://files.pulsarmedia.ca/google/SignApk.rar
Usage can be found here: https://code.google.com/p/signapk/

The created certificate.pem and key.pk8 of previous step need to placed in the Signapk folder. Also need to place your-app.apk in the same folder and run the following command in the cmd (inside the folder of signapk):

[cc]
java -jar signapk.jar certificate.pem key.pk8 your-app.apk your-signed-app.apk
[/cc]
or
[cc]
java -jar signapk.jar certificate.pem key.pk8 your-update.zip your-signed-update.zip
[/cc]
(execute this command in command line where you unzipped signapk and then run which line above suits your needs. You will need Java installed to execute this step.)

Step 3 – Zip Align

Download Zipalign to zip align your signed .apk file: http://files.pulsarmedia.ca/google/Zipalign.zip
Further info on Zipalign can be found here: http://developer.android.com/tools/help/zipalign.html

Copy the signed.apk app file into the zipalign folder (also can try putting it in android sdk / tools folder) and run zipalign.exe. Select the .apk you want to zipalign. Then click zipalign.bat and it’ll create the zipasligned app in the ZipAlignApps folder.

Leave a Reply

Your email address will not be published. Required fields are marked *