Hello! Recently I've seen an extra amount of activity in the Forum around the issues of signing Android apps, and keystores in general. I thought that the time might be right for a quick Five Minute Tutorial on the subject, in an attempt to help clear up some confusion, and to communicate the importance of keeping track of your release keystore. If you read the Android Developers documentation on signing your applications, the very first paragraph says this: "The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application's developer. The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications. The certificate is not used to control which applications the user can install. The certificate does not need to be signed by a certificate authority: it is perfectly allowable, and typical, for Android applications to use self-signed certificates." I think this is a very clear paragraph on what the requirements are, but let's sum it up in bullets: * All Android apps have to be signed with a certificate held by you (or somebody you trust) * The certificate is used to identify where the app comes from, and if you can trust it * You don't have to get a certificate from a complicated placed like you do with Apple * You are allowed to create your own certificate, and sign your apps with it Signing an app is just a way of saying, "Hey, I'm GoNorthWest, here is some information about me, and I developed this app. You can trust me! Your application can also trust mine if they need to talk with each other." Pretty simple! There are two different ways you can sign your app during the build process: * Debug Mode: This mode is used when you are developing and testing your application. By default, the Android SDK (Software Developer Kit) uses a Keytool utility to create a debug key when you build your app in debug mode. That key is good for 365 days from the date it was created. Because the SDK knows the alias and keystore password for this keystore, it doesn't need to prompt you each time you build your app and install it in the Emulator. You cannot upload an app signed with a debug certificate to Google Play. * Release Mode: This mode requires you to use your own private key to sign your application. If you don't already have a release keystore, you can create one using the Keytool, or via the Export Wizard when compiling a release version of your app. That's the method I prefer to use. You will be asked some basic information like a keystore password and alias, and some contact info. A release key is REQUIRED to submit your app to Google Play. Here's a short paragraph from Google summing up some of what I just said: "The debug signing process happens automatically when you run or debug your application using Eclipse with the ADT plugin. Debug signing also happens automatically when you use the Ant build script with the debug option. You can automate the release signing process by using the Eclipse Export Wizard or by modifying the Ant build script and building with the release option." Don't worry about what Ant is unless you're really hardcore. Then just Google it! If you ever need to find the debug keystore that comes with the Android SDK, here's where it generally lives: * Mac/Linux : ~/.android/ * Windows XP : C:Documents and Settings<user>.android * Windows Vista/7 : C:Users<user>.android So, now we know what application signing is, why we need to do it, and a little bit about how it works. Now lets take a look at some signing strategies for releasing your app: * As you release new versions of your app, you MUST use the same release key if you want users to be able to upgrade seamlessly to the new version. If you do not have the same key, then the app will be considered a new app, and users will have to uninstall the old, and install the new to update. In addition, if the certificates do not match, then you have to assign a new package name to the application...effectively making it a completely different app. * Your release key should have a validity period that exceeds the expected lifetime of the app. Generally, it should be at least 25 years, but oftentimes 45 years is recommended. At the very least, it MUST be valid past 22 October 2033. That's a Google rule. * You cannot sign your release app with a debug key. I know I already said that, but it's still true! * You can...and probably should...sign multiple apps with the same release key. Since the apps all come from you, there's no real reason not to. * Keep your release key secure. Make sure it has a decent password, and that you (or somebody you trust) retains possession of the keystore. Put it in a safe place. * Do not loose track of your key. I keep mine in DropBox so I can access it from multiple computers, and if I loose the data on my computer, it'll will still be there. * If you loose your release key, and you want to sign a new version of your app, you are out of luck. I am not aware of any methods to recover lost keys. Keep it safe! I cannot say this enough: keep your private key safe. Make a backup of it, and keep that safe as well. If you loose your release key, you cannot get it back. So treat it with the importance it deserves, and you'll be OK! OK, I think my five minutes are up. If you want to read more, and I highly encourage you to do so, check out this link, which is where I got most of the info for this tutorial: http://developer.android.com/guide/publishing/app-signing.html Keys are super important in the Android world (as certificates are in iOS)! Keep them safe, remember your passwords, and you should never run into any troubles with them! Hope this helps a bit in your quest for Android development. Any questions or constructive criticism, please let me know! Mark

Very well written. Good job Mark!

Thanks for explaining this, Mark! The part I struggled with the most was getting the key out of terminal.

Hi Susan, "Key out of the terminal?" Not sure what that means exactly! Mark

This is the process you described in "Obtaining a Google Maps API Key", where you need to go into Terminal and enter commands. I think I understand it now, but it was completely over my head at first. http://www.buzztouch.com/resources/Obtaining_a_Google_Maps_API_Key_v1.0.pdf

Gotcha! That's a bit beyond the scope of this tutorial, but I'll try and improve the document you are referencing. Thanks! Mark

Your document is fine....the problem is with the student!

Thanks, this has cleared up a lot of things for me.

So how to i create a debugging keystone? and a release keystore?

Hi AppMaster, Go to the How-To section of buzztouch and download the "buzztouch for Android" guide. It will guide you step by step! Mark

Great tutorial. I had troubles with this when i was trying to get my head around it... wish it was up then!!