Android Platform Signature Certificate (.keystore) Generation Guide

Android Platform Signature Certificate (.keystore) Generation Guide

Posted on March 3, 2025

To package and publish APK applications on the Android platform, a digital certificate (. keystore file) is required for signature to indicate the developer's identity.

The generation of Android certificates is self-service and free, without the need for approval or payment.

It can be generated using the keytool command in the JRE environment. The following is the method for generating certificates on the Windows platform:

Install JRE environment (JRE8 environment is recommended, if it already exists, it can be skipped)

You can download the JRE installation package from the official Oracle website:

https://www.oracle.com/java/technologies/downloads/#java8

Taking the Windows platform as an example, the jre installation directory is "C: \ Program Files \ Java \ jre1.8.0_201". Please modify it to your own installation directory during actual operation

Suggest adding the JRE installation path to the system environment variable. If it has already been configured, this section can be skipped

Open the command line (cmd) and enter the following command:

d: set PATH=%PATH%;"C:\Program Files\Java\jre1.8.0_201\bin"

*First line: Switch working directory to D: path

*Line 2: Add the jre command to the temporary environment variable

Generate signature certificate

Use the keytool - genkey command to generate a certificate:

keytool -genkey -alias testalias -keyalg RSA -keysize 2048 -validity 36500 -keystore test.keystore

*Testalia is a certificate alias that can be modified to the characters you want to set. It is recommended to use English letters and numbers

*Test.keystore is the name of the certificate file, which can be modified to the file name you want to set, or you can specify the complete file path

*36500 is the validity period of the certificate, representing a 100 year validity period in days. It is recommended to set the time longer to avoid certificate expiration

After entering the car, it will prompt:

Enter keystore password: //Enter the password for the certificate file, enter 'Finish' and enter
Re-enter new password: //Enter the certificate file password again, complete the input, and press enter
What is your first and last name? [Unknown]: //Enter first name and last name, complete input and press enter
What is the name of your organizational unit? [Unknown]: //Enter the name of the organizational unit, enter 'complete' and press enter
What is the name of your organization? [Unknown]: //Enter the organization name, enter 'complete' and press enter
What is the name of your City or Locality? [Unknown]: //Enter the city or locality name, enter 'complete' and press enter
What is the name of your State or Province? [Unknown]: //Enter the state or province name, enter 'complete' and press enter
What is the two-letter country code for this unit? [Unknown]: //Enter the two-letter country code, enter 'complete' and press enter
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: //Enter 'y' and press enter

After the above command is executed, a certificate will be generated with the path "D: \ test. Keystore".

Attention: The above information should be filled out in a standardized manner. Improper filling may affect the application's listing on the app market.

View certificate information

You can use the following command to view:

keytool -list -v -keystore test.keystore Enter keystore password://Enter password, press enter

It will output the following format information:

Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: testalias
Creation date: 2025-03-03
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 1234567890
Valid from: Tue Mar 03 10:00:00 CST 2025 until: Wed Mar 03 10:00:00 CST 2035
Certificate fingerprints:
Certificate fing
Certificate fingerprints:
MD5: IP_ADDRESS:IP_ADDRESS
MD5: IP_ADDRESS
MD5: 12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF

Among them, certificate fingerprints:

*MD5:MD5 fingerprint information of the certificate (security code MD5)

*SHA1:SHA1 fingerprint information of the certificate (security code SHA1)

*SHA256:SHA256 fingerprint information of the certificate (security code SHA245)

Android Signature Acquisition Tool

Directly obtain the signed APK package of third-party applications installed on the phone through an APK. Details:

https://developers.weixin.qq.com/doc/oplatform/Downloads/Android_Resource.html

precautions

Cloud packaging will add V1/V2 signatures by default. It is known that V1 signatures do not support 2048 bit DSA algorithm. Using 2048 bit DSA key for cloud packaging may fail with the following error message:

* What went wrong: Execution failed for task ':app:packageRelease'. > A failure occurred while executing com.android.build.gradle.tasks.PackageAndroidArtifact$IncrementalSplitterRunnable > java.io.IOException: Failed to generate v1 signature

solution

The first method: regenerate the certificate and add the "- keyalg RSA" parameter in the certificate generation command to specify the use of RSA algorithm

The second method: Set miniSdkVersion greater than or equal to 24, because V2 signature requires Android 7 and above devices to support it. Setting miniSdkVersion greater than or equal to 24 means that Android 7 and below devices are not supported, so V1 signature is not required. For details on setting miniSdkVersion, please refer to: https://ask.dcloud.net.cn/article/193

How to view certificate algorithm

Use "keytool - list - v" to view certificate information, and check the information in the "Subject Public Key Algorithm:" item. The following indicates the use of DSA algorithm:

Subject Public Key Algorithm: 2048-bit DSA key

If you think it's great, please subscribe to my YouTube account!