when I am signing the apk, I get "jarsigner: unable to sign jar: java.util.zip.ZipException: invalid entry compressed size (expected 463 but got 465 bytes)" this error message. The apk size is almost 1MB. When I reduce the size to 500KB, signing success. Why this so?..Any Idea?
Asked
Active
Viewed 8.7k times
7 Answers
115
You are trying to sign an already signed .apk.
You need to export an unsigned .apk file and then sign it with jarsigner.
Andrew Tobilko
- 48,120
- 14
- 91
- 142
Ouael
- 1,182
- 1
- 8
- 2
-
-
15Or you can just remove the signature from the existing apk with a single command. See: http://stackoverflow.com/a/30722523/117471 – Bruno Bronosky Jun 09 '15 at 03:30
-
I'm really disappointed that this is still the accepted answer 2 years after an actual solution was given. – Bruno Bronosky Sep 06 '17 at 15:00
-
Had the same. When removing existing signature remember to remove signature entries from MANIFEST.MF file too. – Krzysztof Jabłoński Jul 19 '18 at 16:04
-
This answer is still good though because it gives information about _why_ it is happening, which is helpful for troubleshooting different use cases. For example my issue was with AppCenter, which did in fact warn me that I was attempting to resign a signed package, so I had to remove the signingConfig from my build.gradle ... horses for courses and all that! – Matt Fletcher Feb 09 '20 at 13:36
114
You definitely are able to sign an already signed APK multiple times using different keys:
Note that you can sign an APK multiple times with different keys.
E.g. I accomplished signing a Debug-Apk with the release key so that I was able to test upgrades of released versions. Also, I was able to sign an already released APK with the debug key for reproducing bugs.
This is what you should do
- Rename the
.apkfile to.zip - Unpack the
.zipfile and remove theMETA-INFfolder - Zip the folder again and rename it to
.apk - Sign the apk:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 \
-keystore my-release-key.keystore my_application.apk alias_name
For the debug key, the alias should be androiddebugkey and the password android. The debug keystore is per default $HOME/.android/debug.keystore. See also Sign your debug build.
-
you save my day, and possibly my apps as well! Eclipse crashes every time I try to export my apps Signed or not, so the only way to go for me was command-line and then I had this error, only solution that worked! thanks again – Guillaume Jun 12 '12 at 07:05
-
@Guillaume, to avoid eclipse crashing - turn off "Build Automatically" (Project->Build automatically) – Luten Aug 04 '14 at 09:08
-
The CERT.RSA file which holds the signature is stored in the META-INF folder which you are suggesting to remove. Which in effect is the same as removing the signature. So that's why you are able to sign it with the debug key. So it doesn't mean that you have signed the apk with two different keys. – Rajesh Dec 26 '14 at 10:29
-
I have signed the apk successfully but I am getting below error while installing the app "error - There is a problem parsing the package". What might be the issue please help .. – KK_07k11A0585 Jan 30 '15 at 13:16
-
2For the record, this method did not work for me, even after deleting the META-INF folder I still get the ZipException – Sterling Archer Feb 02 '15 at 22:04
-
I have a single command that accomplishes this much easier in my answer below. http://stackoverflow.com/a/30722523/117471 I have confirmed that the inappropriately signed APK that I received from a vendor was able to be resigned after running this single command. – Bruno Bronosky Jun 09 '15 at 03:32
64
This is the 1 Liner/1 Step version of @Joerg's answer above:
zip -d foo.apk META-INF/\*
That uses the built in "delete from existing archive" functionality of the zip command. When you run that command you should see:
deleting: META-INF/MANIFEST.MF
deleting: META-INF/CERT.SF
deleting: META-INF/CERT.RSA
...as the output. Those files are the existing signature. Removing them allows you to sign it again.
I would also like to reiterate that you should be sure to pass the -sigalg SHA1withRSA and -digestalg SHA1 arguments to the jarsigner to avoid this issue: https://code.google.com/p/android/issues/detail?id=19567
Bruno Bronosky
- 66,273
- 12
- 162
- 149
-
1Be careful with _zip -d foo.apk META-INF/\*_ - it can delete more files than needed. – Danny Schoemann Jul 20 '16 at 09:53
-
@DannySchoemann Meaning what? I see 3 files in *META-INF/gdata/kinds/com.google.schemas.contact.2008* and META-INF/services/com.fasterxml.jackson.core.JsonFactory. So will I be safe if only the manifest and cert files are removed? – kaay Oct 05 '16 at 08:55
-
@kaay- That looks right, but I don't know for sure, you may have to experiment which you need to delete. – Danny Schoemann Oct 06 '16 at 11:45
-
I have a lot of `androidx.*` in my `META-INF` so definitely remove those 3 files one by one. – vesperto Feb 25 '21 at 12:10
-
After trying this I got this error Warning: The signer's certificate is self-signed. Any ideas? – David Feb 04 '22 at 16:38
27
I encountered this when signing my .aab file. Removing the duplicate signing (once as part of the bundling, once manually) fixed it. This was part of the default react-native app scaffolding.
The app/build.gradle file includes a section android/buildTypes/release which had its signingConfig key set. When generating .apk files it seemed to be ignored but when switching to .aab format it looks like it did apply that signing. When I then did my own signing in CI, it complained because it was already signed.
Jeroen Vannevel
- 43,651
- 22
- 107
- 170
-
1Great observation! I was stuck on this while trying to publish a bundle via CI. Thank you. – AnupamChugh Jan 14 '21 at 09:51
-
Hats off to your sir! For those following along, you'll want to comment out the line which says "signingConfig signingConfigs.debug" under release or set up your own. – Frank Fu Sep 06 '21 at 11:44
-
1To further compliment this, here is the React Native docs that specify what you need to do. [link](https://reactnative.dev/docs/signed-apk-android#migrating-old-android-react-native-apps-to-use-app-signing-by-google-play) – Spartacus Sep 15 '21 at 20:20
-
1
-
1
-
I had generated my Android project from ReactNative 0.67 last year which seems to have created this problem, now I'm using the new bundle signing. Commenting out the release signing section stopped the `gradlew bundleRelease` from signing the .aab file with the debug key. Then I can sign it with my release key using `jarsigner` and it uploads OK. @Spartacus points out, I will have to upgrade my RN project. – scipilot Oct 05 '22 at 08:14
-
3
As far as I faced this error, it occurs when you try to sign a zipaligned .apk file.
Looks like jarsigner can't stand some of the zipalign changes.
This doesn't occur often.
Luten
- 5,420
- 4
- 26
- 24
-
Zipaligning an apk does not prevent it from being signed. You will have to run zipalign again after signing to get it back into an aligned state. – dmdrummond Jul 30 '14 at 19:49
-
3@dmdrummond It doesn't prevent, but it should. Aligning modifies zip. Signing sometimes fails to sign aligned zip with this error. Why downvote? – Luten Jul 31 '14 at 09:31
-
You've now changed the meaning of your answer. Your previous answer strongly suggested that it was not possible to sign a zip-aligned file. That was incorrect. – dmdrummond Aug 05 '14 at 10:11
-
@dmdrummond, No, It didn't. You may reread the preedit version (http://stackoverflow.com/posts/13026461/revisions) – Luten Aug 06 '14 at 08:55
3
According to googles documents you can sign an apk multiple times http://developer.android.com/guide/publishing/app-signing.html#signapp. If you are unable to get an unsigned build though you can just inflate the apk and then rejar it, you will then be able to sign it.
cpk
- 31
- 1
0
Removing signingConfig signingConfigs.debug in release config in build.gradle is worked for me;
release
{
//signingConfig signingConfigs.debug -> removed
}
oyenigun
- 587
- 6
- 15