"Package not signed correctly" appearing for some users

Question

I have an app on Google Play for years that has seen countless updates. The latest update (the first one in a while) fails to install for some people, they simply get the "Package not signed correctly" error message.

It works for my Android devices I have at home. I'm building and signing with a custom build system that basically boils down to calling ant release, followed by

jarsigner -verbose -keystore $(keystore) -storepass $(storepass) $(appname).apk $(alias)
zipalign -v 4 $(appname).apk $(finalname).apk

That has worked for years, there were no changes to the build system or keystore, I don't know why it stopped working for some users.

I noticed that the documentation added the following caution:

As of JDK 7, the default signing algorithim [sic] has changed, requiring you to specify the signature and digest algorithims [sic] (-sigalg and -digestalg) when you sign an APK.

So I added -sigalg SHA1withDSA -digestalg SHA1, which produces an APK with a different size. I can try rolling that out, but I don't want to keep pushing out updates and annoy the users without knowing that I'm actually fixing something.

Why does this only fail for some people? How do I fix it? Is explicitly specifying -sigalg/-digestalg enough?

possible duplicate of [Published Android apk gives error "Package file was not signed correctly"](http://stackoverflow.com/questions/2519374/published-android-apk-gives-error-package-file-was-not-signed-correctly) — Jim G., Apr 26 '14 at 22:17

Viswanath Lekshmanan · Answer 1 · 2014-01-07T08:51:42.797

The problem is same as you said about jdk7. To overcome that there are lot of discussions over the same topic

Try this by adding

<presetdef name="signjar">
<signjar sigalg="MD5withRSA" digestalg="SHA1" />
</presetdef>

within your build.xml file

Note

The problem is after building a release version with ant release the apk could not be installed on physical device

This only happens with JDK 7 with JDK 1.6.25 all is fine!

It affects only a small percentage because for jarsign jdk7 need SHA1 digest algm, but not with the default algorithms, whatever they are. So device with some other algorithms as default will reject this and cause the problem.

The below are the algorithms used

By default, jarsigner signs a JAR file using one of the following:

DSA (Digital Signature Algorithm) with the SHA1 digest algorithm
RSA algorithm with the SHA256 digest algorithm.
EC (Elliptic Curve) cryptography algorithm with the SHA256 with ECDSA (Elliptic Curve Digital Signature Algorithm).

For more jar signing

Thanks Arju. I guess my confusion comes from not knowing that each device has its own default algorithm - I didn't think that would differ across devices. — EboMike, Jan 13 '14 at 07:55
Yeah, your question also gives me some more knowlwdge on this — Viswanath Lekshmanan, Jan 13 '14 at 08:49

score 1 · Answer 2 · edited May 23 '17 at 12:30

1

Check this answer:

Published Android apk gives error “Package file was not signed correctly

The problem seems to be related with jdk7 so your fix could solve the problem (but I haven't experienced it myself!)

edited May 23 '17 at 12:30

Community

1
1

answered Jan 07 '14 at 08:30

Pedro Loureiro

11,436
2
31
37

That would indicate my supposed fix in the question would actually fix it. I don't get why it only affects a percentage of users? – EboMike Jan 07 '14 at 08:45
I believe arju has the response for that: some devices might be missing that algorithm or not using the right one by default – Pedro Loureiro Jan 07 '14 at 13:31

score 1 · Answer 3 · edited May 23 '17 at 12:22

1

We can signed application using eclipse. Like:- Right-click your project in Eclipse > Chose Android Tool > Export Signed Application Package...

Android Application APK signing?

I hope this may help.Thanks!!

edited May 23 '17 at 12:22

Community

1
1

answered Jan 07 '14 at 09:56

Jagdish

2,418
4
25
51

"Package not signed correctly" appearing for some users

3 Answers3

Linked