And now its time to sign your APK for release. This took a while to figure out due to all the conflicting information about ways of setting this up.
I've determined that the easiest way of doing this is to simply create a "toggle variable" that skips the signing process unless specified by the calling script / command line argument.
Contents
- Part 1 - Installing Maven for Eclipse
- Part 2 - Compiling and building your APK
- Part 3 - Converting an existing Android project to a Maven project
- Part 4 - Share a library project using a local Maven repository
- Part 5 - How to debug your Android app with Maven?
- Part 6 - Sign your Android app APK for release
- Part 7 - Global properties and settings for Maven
Setting it up
Open up your pom.xml file for editing, go to project > properties and add in:
<sign.skip>true</sign.skip>
This, by default, will skip the signing process.
Now scroll down to find the project > build > plugins and add in this:
<!-- Sign the APK with release signature -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jarsigner-plugin</artifactId>
<version>1.3.2</version>
<configuration>
<!-- Required because it's initially signed with a debug cert -->
<removeExistingSignatures>true</removeExistingSignatures>
<skip>${sign.skip}</skip>
<keystore>${sign.keystore}</keystore>
<storepass>${sign.storepass}</storepass>
<alias>${sign.alias}</alias>
<keypass>${sign.keypass}</keypass>
</configuration>
<executions>
<execution>
<id>sign</id>
<goals><goal>sign</goal></goals>
</execution>
<execution>
<id>verify</id>
<goals><goal>verify</goal></goals>
</execution>
</executions>
</plugin>
You may have noticed in the configuration that <skip> is controlled by ${sign.skip}, as defined above in the properties. You can override this by passing in command line arguments to mvn.
Similarly with the keystore, storepass, alias and keypass, they're all configured with properties or command line arguments. This is a good way of keeping your passwords out of the pom.xml file and source control.
Another point to make clear is that you NEED removeExistingSignatures. When the jar/apk is initially created, it's signed with a debug certificate. You have to REMOVE that before signing with your own, otherwise the verification goal will fail with this error:
[INFO] jarsigner: java.lang.SecurityException: invalid SHA1 signature file digest for res/drawable-xhdpi/abc_ic_go_search_api_holo_light.png
How to sign your APK
Normally, you'd just run this to create a debug APK:
mvn package
To create the release APK, type the following to begin the build process:
mvn package -Dsign.skip=false -Dsign.keystore=X:\your\cert.keystore
-Dsign.storepass=STOREPASSWORD -Dsign.alias=KEYALIAS
-Dsign.keypass=KEYPASS
The "-Dvarname=value" specifies it's a variable being passed to your build script, which overrides any instances of ${varname} in your pom.xml file.
It's also a good idea to enable verbose output to test your configuration until it's working properly. Place this under the jarsigner plugin > configuration:
<verbose>true</verbose>
You'll probably also run into this warning message:
[INFO] Warning:
[INFO] No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2068-08-23) or after any future revocation date.
Don't worry, it's not too bad. The date is the expiry date of your certificate so it's fine if your certificate expires in an extraordinarily long period of time.
By now you should be able to produce a signed APK file, ready for release.
Sources
- Apache Maven Jarsigner Plugin - Introduction
- Apache Maven Jarsigner Plugin - Sign and verify a project
- Automating android application signing and zipaligning with maven | James Elsey
- SigningAPKWithMavenJarsigner - maven-android-plugin - How to set up a profile that will sign the application using Mavens jarsigner plugin. - (renamed to android-maven-plugin) Easy to use Maven plugin for Android™! - Google Project Hosting
- android - How to build apk in release mode using maven - Stack Overflow
- hasCode.com » Blog Archive » Signing APK with the Maven-Jar-Signer Pluginhttp://www.hascode.com/2010/04/signing-apk-with-the-maven-jar-signer-plugin/
- Building Android projects with maven – part 2: Releases with maven | synyx - Blog
- invalid SHA1 signature file digest - Stack Overflow