According to the Android system, all installed applications must be digitally signed with a certificate. The private key of the certificate is held by the application’s developer. Using the certificate, the Android system identifies the author of an application and establishes trust relationships between applications.
The important points to understand about signing Android applications include the following:
All applications must be code signed. The system does not install an application on a device if it is not signed.
When you are ready to release your application to the end-users, you must sign it with a suitable private key. In application code signing, the private key is used to encrypt the hashes manifest. The operating system uses the public key to decrypt the manifest. The public key is stored in a certificate.
To sign your applications, you can use self-signed certificates. No certificate authority is required.
The system tests a signer certificate's expiration date during installation. After installing the application, if the application’s signer certificate expires, the application continues to function normally.
You can use standard tools, such as Keytool and Jarsigner, to generate keys and sign your application .apk files.
Code Signing Process
The Android build process signs your application based on which build mode you use to build your application.
Debug Mode
Debug mode is used to develop and debug applications. When you build an application in this mode, the Android SDK build tools create a debug key using the Keytool utility. This debug key is then used to automatically sign the .apk file. As the alias name and password are known to the Android SDK build tools, you are not required to enter these details. This is called self-signing. This is called self-signing, and the self-signed certificate has an expiration date 365 days from the date of its creation.
Release Mode
Release mode is used to release applications that can be distributed to users or published in an App store, such as Google Play. When you build an application in release mode, use your own private key to sign the application. You can create a private key using the Keytool utility.
Switching between the modes
Based on your requirement, you can choose to switch between the debug mode and release mode. To do this, on the Standard toolbar, from the Solution Configurations list box, choose the Debug or Release option.
Note: You can also customize the build mode. To do this, on the Standard toolbar, choose Configuration Manager from the list.
Creating a Private Key
Creating a private key also involves creating a Keystore file and signing the Android application file.
Prerequisites
Ensure that the bin folder of Java is in your PATH variable.
Java version 6 or later is installed in your environment.
The Keytool utility and Jarsigner utility are available in the JDK.
Creating a Keystore File
Keystore is a repository of security certificates that are used to provide security over the Internet. Keystores are managed by using a utility called Keytool. The Keytool utility stores the keys and certificates in a Keystore.
Note: Remember the credentials that you provide while creating the keystore file. This information is required for building the Android application from your project.