Signing My Google Android Application – keytool.exe & jarsigner.exe

I had such a hard time signing my Google Android application that it makes me wonder how many developers just gave up. How many applications rest unfinished because the process for signing applications is not as simple as it could be. When you’re finished with your application, it’s all debugged and tested, you don’t just simply press a “make money” button. No, if you want to play in Google’s playground, you have to be tougher than that.

Signing applications is a security measure. When your application is added to the Android Market, how do you update it? Well, that’s easy — just upload a new version. The problem: how do you stop others from impersonating you? That’s why your Android application needs to be signed. Otherwise, evil doers could turn your friendly application into a malicious program. The Android Market requires applications to be signed. The documents on the Android site also stresses that it is very important to protect your key.

At first, I had zero chance of my key being compromised. That’s because I didn’t know how to make one. I kept reading. I kept doing Google searches. I just couldn’t make sense out of it. I was getting close to spending more time on locking my application than I did creating it. The first problem was actually finding the program to make my key…

keytool.exe
C:\Program Files (x86)\Java\jre1.6.0_01\bin

It’s a program that runs in the command prompt, so I had to remember how to change directories. There’s no Graphical User Interface here… no! If I wanted to call myself an Android Developer, I had to get old school. I had a fun time remembering how to change directories and remembering the difference between a foward slash and a back slash.

So OK, I had a key. It had my information inside of it – my name, my company information, my genral location and my secret password. I also had to set an expiration date. Google recommended something over 10,000 days. Naturally, feeling all smug, I put 31337 days – I’m elite. That means my key will expire in about 86 years. I wonder if that’s going to cause any problems in the year 2095.

Now I had to lock my file, but I couldn’t find the stupid jarsigner.exe file. I didn’t have it. Apparently, I needed to download some more Java software from Sun.

jarsigner.exe
C:\Program Files\Java\jdk1.6.0_12\bin

I found the jarsigner.exe but my commands weren’t working. Did I forget my password already? No, apparently Vista’s security stuff was preventing the file from being written. Two forms of security were doing a better job at stopping me than stopping criminals. But unlike Android Market, at least I could control my operating system. I disabled the annoying popup windows. No really, Vista, it’s OK if I create something in the Program File directory.

My program is ready for distribution with other Android applications.
My program is ready for distribution with other Android applications.

Now that my program is ready, I can move onto the next step – setting up a Google merchant account. Paid applications already hit the Android Market. I’m wondering if I should hurry and publish my application right away or wait until the flood of new applications subsides.

One thought on “Signing My Google Android Application – keytool.exe & jarsigner.exe”

  1. I’ve been checking my web traffic report. Apparently, this article is popular. Although, you might want to know that the process is much easier for me now.

    Step #1 – In Eclipse, Right-Click my project
    Step #2 – Select Android Tools > Export Signed Application Package.

    Then, I just follow the prompts.
    It’s a lot easier with a graphical user interface! :-)

Comments are closed.