How To Manually Sign APK’s
All Android applications must be digitally signed with a certificate. To ensure the authenticity of the application. The private key is held with the developer so that only he can release versions of the app with a verifiable certificate.
In essence, signing an apk ensures it’s authenticity from the developer.
Tools we will be using: Keytool, Jarsigner, and Zipalign
What is a keystore?
Also know as the Java keystore (JKS) is a repository of security certificates (Public and private keys) that are used to digitally sign android applications and each keystore is unique to the developer.
A keystore essentially stores your security certificates.
Keytool allows you to create keystores and comes pre-packaged with the Java JDK
Let us generate our own keystore that we will use to sign our apk/payload.
Keytool -genkey -V -keystore /root/Desktop/key.keystore -alias alexis -keyalg RSA -keysize 2048 -validity 1000
Alias – keypair alias name
Keyalg – the algorithm used to generate the keypair
keysize – keypair size in bits
validity – keypair validity duration in days
We will use jarsigner to sign the apk with our keystore.
Jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore /root/Desktop/key.keystore com.android.apk alexis(alias)
Sigalg – signature algorithm
Digestalg – digest algorithm
What is zipalign?
Zipalign is an optimization process that is performed on an application that allows it to run more efficiently after signing.
Zipalign will restructure the resources in an APK along 4-byte boundaries. This alignment allows Android to quickly load the resources from the APK, increasing the performance of the application and potentially reducing memory use.
Let us zipalign the application
Zipalign -v 4 com.android.apk signed.apk
-v : Verbose
4: 32 bit alignment