How do I Create a Self-Signed Certificate for an Android App?

This lesson describes how to create a self-signed certificate for your Android application. Variations between Apple Mac and Windows are discussed and screen captures are provided.

Introduction

The Android release system requires that all applications installed on user devices are digitally signed with certificates whose private keys are held by the developer of the applications. The certificates allow the Android system to identify the author of an application and establish trust relationships between developers and their applications. The certificates are not used to control which applications the user can and cannot install.

There are 2 ways to create a certificate for an Android app:

1. Using the "keytool" application from the Terminal

2. Using Android Studio

How to create a certificate using the "keytool" application from the Terminal

Locating Keytool

Locating Keytool

Keytool is a key generation application that is made available through your Java SDK installation. You should be able to access the tool using a Terminal on your Mac or through the Command Prompt on your Windows machine.

The location of keytool is included in the directory search path on standard Mac installations but may have to be configured on Windows machines.

You can typically find the keytool application in the following or similar location under windows: C:\Program Files\Java\jdk1.6.0_24\bin\, if you followed the default installation process. You can either run keytool.exe from this location or add the relevant path to your search paths.

To add the path to your existing search paths, open your Control Panel and navigate to System and Security -> System -> Advanced system settings. This opens the System Properties window with the Advanced tab. Select Environment Variables... to open the Environment Variables window. Then select Path from the System variables panel and select Edit... . This opens the Edit System Variable dialog in which you can add the new path to the existing list of search paths. Make sure that you separate each new path with a semicolon, as is shown in the figure of this step.

Creating the Key

Creating the Key

Open your Terminal or Command Prompt and execute the command keytool. If the application is found, it is executed and a list of the available command line options is returned. This provides you with information on how you can configure the key generation process. The following example should allow you to generate an appropriate key:

keytool.exe -genkey -v -keystore release.keystore -alias TicTacToe -keyalg RSA -keysize 2048 -validity 10000

The application is interactive and command line driven, requesting that you enter a number of parameters. Do not worry if you make mistakes when entering parameters, you can enter them again.

Once you have created your key, it is stored in a .keystore file with its location shown at the end of the output, generated by the keytool. You should make a copy of your .keystore and keep it and the passwords in a safe place.

Note: -alias TicTacToe is specific to an application that is being signed in a latter lesson. You may want to change this to something that is more meaningful to the application you are working on.

How to create a certificate using Android Studio

To create a signing certificate using Android Android Studio, follow these steps:

1. Create a new empty project and click on Build -> Generate Signed Bundle/APK...

2. In the Generate Signed Bundle or APK dialog, select either Android App Bundle or APK and click Next.

3. Select a module from the drop down. In this case, you should only see "MyApplication1.app", which is the default name for the empty project you have created.

4. Below the field for Key store path, click Create new.

On the New Key Store window, provide the following information for your keystore and key:

- Keystore

Key store path: Select the location where your keystore should be created.

Password: Create and confirm a secure password for your keystore.

 

- Key

Alias: Enter an identifying name for your key.

Password: Create and confirm a secure password for your key. This should be different from the password you chose for your keystore.

Validity (years): Set the length of time in years that your key will be valid. Your key should be valid for at least 25 years, so you can sign app updates with the same key through the lifespan of your app.

Certificate: Enter some information about yourself for your certificate. This information is not displayed in your app, but is included in your certificate as part of the APK.

Once you complete the form, click OK.

Note: Android Studio might or might not append the .keystore extension to the name of the newly created certificate. If not, you can just rename the file later and add the .keystore extension

You have now created the signing key, in the "Key Store Path" location. Make sure you write down all the passwords as well as the alias, and keep them in a safe place. You will need them for signing the android standalone app, as seen in the next lesson.

Once you have a working key, go to lesson: How do I Create an Android App for Distribution? to find out how to sign your application.

Note: The Android website: https://developer.android.com/studio/publish/app-signing#sign_release has a lot of information and recommendations on how to create your private key. It is strongly recommended that you review that information in addition to what is covered in this lesson.

 

20 Comments

Jacqueline Landman Gay

Just for reference: If you are on a Mac, use "keytool" as the command, not "keytool.exe". Also, if your app is more than one word, you must enclose the alias name in quotes or the shell command will hang.

Simon Asato

On Win7 the ..\Java\jdk1.7.0_07\bin folder is read only and will not allow you to write the .keystore file.
Give yourself "...User\..." full control in the Security settings.

Richard

@Simon Asato:

That is not the right way to do it. Better keep the permissions of the folder intact and start the tool from a location you do have access to.
For example:
Create a folder in your "My Documents", and use the full path to "keytool". The key wil be saved in the current directory.

Richard

Nouman

how run zip align tool our .apk from command line

Hanson Schmidt-Cornelius

Hi Nouman,

zipalign is used by LiveCode but is not something we explicitly support for users to interact with. If you would like to get more information on this, then please refer to the relevant help page at: http://developer.android.com/tools/help/zipalign.html

Kind Regards,

Hanson

Little Tiny Fish

This walk through was incredibly helpful. Thank you so much for setting it up.

Richard, I was a little confused about what you were saying, but I figured it out. Basically you're saying instead of using the command:
"-keystore release.keystore"

you can change the path by using:
"-keystore c:\MY\PATH\HERE\release.keystore"

Jerry

Hi, perhaps we need an additional lesson on how to use the upload key certificate when you try to update your app on the Google Play store, because then it is not accepting the signed updated APK anymore when using the same keystore file.

Elanor Buchanan

Hi Jerry, are you getting an error when you update your app on the Google Play store? If so could you let us know what it is so we can look into this.

Thanks

Elanor

Simon Schvartzman

Hi Livecode gurus. I'm trying to get my first Android App ready for deployment but hit the wall at the very first step: not able to generate the certificate. Please see below my log

Last login: Tue Jul 17 07:36:37 on console
Simons-MacBook-Air:~ simonschvartzman$ keytool
Key and Certificate Management Tool
Commands:
-certreq Generates a certificate request
-changealias Changes an entry's alias
-delete Deletes an entry
-exportcert Exports certificate
-genkeypair Generates a key pair
-genseckey Generates a secret key
-gencert Generates certificate from a certificate request
-importcert Imports a certificate or a certificate chain
-importpass Imports a password
-importkeystore Imports one or all entries from another keystore
-keypasswd Changes the key password of an entry
-list Lists entries in a keystore
-printcert Prints the content of a certificate
-printcertreq Prints the content of a certificate request
-printcrl Prints the content of a CRL file
-storepasswd Changes the store password of a keystore

Simons-MacBook-Air:~ simonschvartzman$ keytool -genseckey
Enter keystore password:
Enter keystore password:
Re-enter new password:
Enter key password for
(RETURN if same as keystore password):
keytool error: java.security.KeyStoreException: Cannot store non-PrivateKeys

Please help me to move forward! Many thanks in advance...

Elanor Buchanan

Hi Simon

Did you use the command given in the lesson?

keytool.exe -genkey -v -keystore release.keystore -alias TicTacToe -keyalg RSA -keysize 2048 -validity 10000

with TicTacToe replaced by something relevant for your app? This should generate a key you can use.

Kind regards

Elanor

Simon Schvartzman

Hi Elanor, shame on me! I didn't use the command before posting my comment. As you said it run OK when I executed the command as instruct but then I'm facing another problem:
If I set "Sign for development only" on the Signing field of the Standalone configuration page it generates the apk OK. If I set the field to "Sign with my key" it throws the following error: "There was an error while saving the standalone application. signing failed - keystore load: Keystore was tampered with, or password was incorrect". I'm pretty sure I use the correct password, but just in case how can I reset it? Or could there be another reason for getting this error?
Many thanks for your support

Elanor Buchanan

Hi Simon,

The most likely cause is an incorrect password, I would try restarting LiveCode and trying to generate the Standalone again. If that doesn't work unfortunately I don't think there is a way to retrieve a keystore password as it is a security measure. You might find some suggestions on-line but you might just have to generate a new key.

Sorry I can't be more help.

Elanor

Simon

Hi Elanor, I'm trying to generate a new key as described in this lesson (and as I have done before) but getting the following errors:
Simons-MacBook-Air:~ simonschvartzman$ keytool -genkey -v -keystore release.keystore -alias AppV1 -keyalg RSA -keysize 2048 -validity 10000
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.tools.keytool.Main.doCommands(Main.java:926)
at sun.security.tools.keytool.Main.run(Main.java:366)
at sun.security.tools.keytool.Main.main(Main.java:359)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
... 7 more
Simons-MacBook-Air:~ simonschvartzman$

Any hints on how to fix it?

Many thanks in advance, regards

simon

I found the solution. One should use the same password used the last time the command was used...

Simon Schvartzman

Hi again, I was able to follow the lesson Using Android Studio. Then I had to change the folder where the key was stored, so I generated again and now I'm getting the following error message:
"Unable to build app for testing: signing failed - Certificate chain not found for: myAppname. myAppname must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain."
Worth to mention is that I'm getting the same error even if I try to use the original folder. I'm sure I'm doing something wrong but can't find out what...any clues of what could it be? Many thanks

Simon Schvartzman

Update to my previous post. Instead of generating the keys with Android Studio I did it with the terminal command and it worked fine. Was even able to copy the generated keystore to a Dropbox folder and the stand alone was generated OK. Thanks

Namish

Very very nice 👌

Trevix

Hello.
My app is live on Google Play.
Because of several errors recently appearing, I wish to disinstall Android studio and re- Install it.
I wonder: is my Self-Signed Certificate going to be disrupted if I do it? Is there something that I have to do before disisntall, so to avoid again a nightmarish journey into certificates e digital signatures?
Thanks

Panos Merakos

Hello Trevix,

Your self-signing certificate will not be affected if you uninstall and re-install Android Studio. However, I would not suggest doing so - since I doubt that this will fix the error(s) you are getting.

What are these errors? I take it you get these errors when trying to build an Android standalone? Have you seen this new lesson:

https://lessons.livecode.com/a/1770871-livecode-android-studio-setup-checklist

Regards,
Panos
--

Trevix

Sorry: I should have cleared that the errors reported on opening any project on Android studio 2023.1.1 Patch 1 (Sonoma) do not regards Livecode (that works very well) but a side project.
The list of errors that I cannot fix is quite long, but mostly regards gradle: The cached Gradle state file /Users/trevix/.gradle/wrapper/dists/gradle-7.5-bin/f1w0cc9nuo0eivz97x2xlu9sv/gradle-7.5-bin.zip.ok may be corrupted.

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.