Android签名证书

在最新的Android SDK中我们看到了Android签名证书机制的出现,也就是说几乎和Symbian OS v9.x以上平台构架一样,都需要数字签名证书才可以运行,这也是考虑到平台的安全性,同样也提供了类似的自签名self-signed证书。

  Android系统要求所有安装的应用程序必需有数字签名。否这系统将不会安装后运行程序在没有合适的签名许可。最终无论是在真是设备还是模拟器上都必须给你的程序建立签名才可以调试运行。(The Android system requires that all installed applications are digitally signed — the system will not install or run an application that is not signed appropriately. This applies wherever the Android system is run, whether on an actual device or on the emulator. For this reason, you must set up signing for your application before you will be able to run or debug it on an emulator or device.)

  重点理解有关Android程序签名:(The important points to understand about signing Android applications are)

  所有程序必需签名,系统将不会安装一个未签名的程序。All applications must be signed. The system will not install an application that is not signed

  你可以自签名self-signed证书给你的程序.没有证书验证也是需要的。You can use self-signed certificates to sign your applications. No certificate authority is needed

  系统测试一个签名证书过期日期仅仅在安装时,如果程序签名已经过了在安装后,那么程序将可以继续使用正常的功能。The system tests a signer certificate's expiration date only at install time. If an application's signer certificate expires after the application is installed, the application will continue to function normally

你可以使用标准工具KeyTool和Jarsigner来生成密钥和签名你的程序在apk文件中。

  The Android SDK tools assist you in signing your applications when debugging. Both the ADT Plugin for Eclipse and the Ant build tool offer two signing modes — debug mode and release mode.

  In debug mode, the build tools use the Keytool utility, included in the JDK, to create a keystore and key with a known alias and password. At each compilation, the tools then use the debug key to sign the application .apk file. Because the password is known, the tools don't need to prompt you for the keystore/key password each time you compile.

  When your application is ready for release, you compile it in release signing mode. In release mode, the tools compile your .apk without signiing it. You must then use Keytool to generate your own keystore/key and then use the Jarsigner tool, also included in the JDK, to sign the .apk.

  Basic Setup for Signing

  To support the generation of a keystore and debug key, you should first make sure that Keytool is available to the SDK build tools. In most cases, you can tell the SDK build tools how to find Keytool by making sure that your JAVA_HOME environment variable is set and that it references a suitable JDK. Alternatively, you can add the JDK version of Keytool to your PATH variable.

  If you are developing on a version of Linux that originally came with Gnu Compiler for Java, make sure that the system is using the JDK version of Keytool, rather than the gcj version. If Keytool is already in your PATH, it might be pointing to a symlink at /usr/bin/keytool. In this case, check the symlink target to make sure that it points to the Keytool in the JDK.

  Signing in Eclipse/ADT

  If you are developing in Eclipse and have set up Keytool as described above, signing in debug mode is enabled by default. When you run or debug your app, ADT signs the .apk for you and installs it on the emulator. No specific action on your part is needed, provided ADT has access to Keytool.

  To compile your application in release mode, right-click the project in the Package pane and select Android Tools > Export Application Package. Alternatively, you can follow the "Exporting the unsigned .apk" link in the Manifest Editor overview page. After you have saved the exported .apk, you need to use Jarsigner to sign the .apk with your own key before distribution. If you don't have a key, you can use Keystore to create a keystore and key with all the appropriate fields. If you already have a key, such as a corporate key, you can use that to sign the .apk.

  Signing in Ant

  If you use Ant to build your .apk files, debug signing mode is enabled by default, assuming that you are using a build.xml file generated by the activitycreator tool included in the latest SDK. When you run Ant against build.xml to compile your app, the build script generates a keystore/key and signs the .apk for you. No specific action on your part is needed.

  To compile your application in release mode, all you need to do is specify a build target "release" in the Ant command. For example, if you are running Ant from the directory containing your build.xml file, the command would look like this:

 

ant release

  The build script compiles the application .apk without signing it. After you have compiled the.apk, you need to use Jarsigner to sign the .apk with your own key before distribution. If you don't have a key, you can use Keystore to create a keystore and key with all the appropriate fields. If you already have a key, such as a corporate key, you can use that to sign the .apk.

  Expiry of the Debug Certificate

  The self-signed certificate used to sign your application in debug mode (the default on Eclipse/ADT and Ant builds) will have an expiration date of 1 year from its creation date.

  When the certificate expires, you will get a build error. On Ant builds, the error looks like this:

debug:
[echo] Packaging bin/samples-debug.apk, and signing it with a debug key...
[exec] Debug Certificate expired on 8/4/08 3:43 PM

  In Eclipse/ADT, you will see a similar error in the Android console.

  To fix this problem, simply delete the debug.keystore file. On Linux/Mac OSX, the file is stored in ~/.android. On Windows, the file is stored in C:Documents and SettingsLocal SettingsApplication DataAndroid.

  The next time you build, the build tools will regenerate a new keystore and debug key.

posted @ 2008-12-20 18:26  jacktu  阅读(1789)  评论(0编辑  收藏  举报