Preparing apps for publication

Here we go through the steps that you need to take before publishing your application. After you have taken these few simple steps, you will have a signed APK file which you could upload to Cafe Bazaar and make available to users.

1. Before anything else, make sure you have chosen the right package name for you app:

Since after publishing the application there would be no chance to rename it, make sure that you have chosen the right package name before offering the application to users. To find out how to choose a package name, please see “Rules for naming packages”.

2.    Generating a signed APK

Before allowing an app to be installed on a device, Android OS checks if it is signed digitally with a certificate. If an app is not signed this way, it would not be installed on users’ devices.

A certificate is used to identify the real owner of the app. Only the app’s developer has the private key needed to access this certificate. The set that includes this certificate and its key is called KeyStore.

 

Ways to sign an app

There are two ways to sign an app, each used under a certain condition. These two ways are the “debug mode” or the “release mode”.

When building your app, you sign it under debug mode, whereas when you intend to publish the app, you sign it under release mode. The first way, which is only used to test the app, uses the debug key in Android. This key is made with Android SDK and is sued when running or debugging your app from the IDE (Integrated Development Environment). The reason for using this key is to speed up the testing of the app. To sign the app in release mode, you would have to make your own personal KeyStore.

 

Signing an app in debug mode

When running or debugging your app from the IDE, you will sign it using a key file that has been created by android SDK tools. This key file has a private key with a known password so that you would not have to type in the password each time you want to run and test the app, therefore helping you run or test the app faster.

As an example, Android Studio automatically signs your app from the IDE each time you run or debug your app. In this case you may not notice the signing procedure.

Caution: You can test/run an app which has been signed with debug key on emulators or a device that is connected to your computer via USB cable. However, you cannot upload to Cafe Bazaar or Google Play and distribute to users an app that has been so signed.

By default, debug configurations use a Debug KeyStore and a private key each with a known password. You would be able to find Debug KeyStore under the following directory:

$HOME/.android/debug.keystore

 

Signing an app in release mode

After you have finished developing and testing the app, you would need to create a package that is suitable for delivery to users. At this point, you will need to sign the app with a unique certificate whose password and private key only you have. Generally, doing so will include taking the following steps:

1.    Make a KeyStore

A KeyStore is a binary file which includes a number of private keys. After creating this file, you will need to take care to keep it. Preferably you will need to keep copies in a number of safe places in order to diminish the odds of losing it.

Note: In some development tools such as Basic4android you may find substitute options for KeyStore such as Private Sign Key.

2. Make a private key.

This key will show the identity of the person or company that has developed the app.

3. Add the signature configuration to the build file.

...
android{
       ...
       defaultConfig { ... }
       signingConfigs {
              release {
                    storeFile file("myreleasekey.keystore")
                    storePassword "password"
                    keyAlias "MyReleaseKey"
                    KeyPassword "password"
               }
       }
       buildTypes {
             release {
                  ...
                  signingConfig signingConfigs.elease
              }
        }
}
...

 

4. After you have made the KeyStore and private key, call assembleRelease in Android Studio.

Note: After signing the app, you would be able to find the prepared package at app/build/apk/app-release.apk.
Caution: Make sure you keep backups of your KeyStore and private key in a number of safe places. If you publish an app on Cafe Bazaar and then lose the key, you won’t be able to offer updates of it later.

 

How to sign an app in Android Studio

 

To sign your app in release mode in Android Studio, take the following steps:

1. From the top menu, click Build and then Generate Signed APK.

2. In the window that pops up, select Create New in order to create a new KeyStore.

3. In the New KeyStore window, type in the required information.

Caution: You are going to indicate the time to which the key is valid in the Validity field. To make sure you would be able to introduce updates in the future, indicate a minimum of 25 years for key validity.

Signing an app from command line

You do not specifically need to use Android Studio to sign an app. You could do so in command line using the standard tool provided to you by Android SDK and JDK. To sign an app via command line, take the following steps:

1. Use keytool to create a your own private key:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

 

After you have entered the above command, you will be asked to assign passwords to keystore and private key, as well as a distinct name to the key.

The name you type in in place of alias_name will be used in later stages when signing the application package.

Caution: The keystore created in this stage holds a key that is valid for 10,000 days. In order for the key to be valid for future updates of the application, we recommend that the validity value not be less than that number.
After you assigned all the required values, my-release-key.keystore will be created.

2. Compile your app in release mode so that you are given the unsigned APK file.

Now you need to sign your app with the private key you have created by using a tool named jarsigner:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name

 

As you enter the above command, you will be required to provide the password you had assigned to keystore in stage 1. Once you type in the correct password, the APK file that you need will be created with the key file you had created earlier.

3.    We recommend that in the end you make sure the APK has been signed.