10

I am having problems with the error described in the questions below:

Published Android apk gives error "Package file was not signed correctly"
Some (but not all) users receive "Package file was not signed correctly" when downloading my app from Google Play

Specifically, when some users try to download my Google Play app, they get the error, others don't.

My question is: how to detect before submission whether the problem is going to occur or not?

For what it's worth, when I run

jarsigner -verify -verbose -certs myapk.apk

I see something like the following:

86226 Sun Nov 09 10:34:54 EET 2014 META-INF/MANIFEST.MF X.509, //[personal stuff omitted] [certificate is valid from 8/20/14 8:04 AM to 1/5/42 7:04 AM] [CertPath not validated: Path does not chain with any of the trust anchors] // several hundred entries like the above, and then: jar verified.

Warning: This jar contains entries whose certificate chain is not validated. This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2042-01-05) or after any future revocation date.

Community
  • 1
  • 1
William Jockusch
  • 26,513
  • 49
  • 182
  • 323
  • Which IDE do you use? How do you build the project? is there any special library you use? – TacB0sS Nov 25 '14 at 11:43
  • Are you sure you've used the same keystore and alias? have these users downloaded the previous version from Playstore as well or perhaps another store or manually? if you have the two versions of apks, you can compare their MD5s to see if there was a mistake with the keystores – TacB0sS Nov 25 '14 at 12:09
  • Xamarin Studio on my mac. The problem occurrs when I publish via project menu > publish. It does not occur when I sign in terminal with jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore myKeystore myAPK keystoreAlias. But I'd really like to be able to test a signed apk to see if it is good or not. – William Jockusch Nov 26 '14 at 06:17
  • @William Jockusch, it's tried (not Mac, on Windows 7 with java 8) to use your SHA1withRSA via terminal - same warning for no time stamp (before reading your post I've tried MD5withRSA with time stamp warning result). Google wants Android Developers use Mac? Or maybe java 7 jarsigner for Mac is old same-no-warning functionality as java 6 for Win? – Alex Martian Mar 07 '16 at 07:51

6 Answers6

5

Actually this is a common problem and i guess you must be using Java 7 or later.

Solution

Run jarsigner: 

jarsigner -verbose -verify -keystore ${KEYSTORE_PATH} ${YOU_JAR_FILE}

have a look here

ProllyGeek
  • 15,517
  • 9
  • 53
  • 72
  • OK, based on the output, how do I know if the problem will occur or not? – William Jockusch Nov 25 '14 at 06:25
  • experiment is the best option , find a user who has this issue , re-sign your app , and make user reinstall app , and check if problem happens , imo there is 90% chance it won't happen, this is not a new issue. – ProllyGeek Nov 25 '14 at 06:32
  • **Actually this is a common problem** - common how? is that a specific setup? project? jvm? IDE? build? I've built and released hundreds of apk versions to the playstore and never had this sort of issue... is there any consistent cause? – TacB0sS Nov 25 '14 at 11:42
  • @TacB0sS this is common for people who use java 7. – ProllyGeek Nov 25 '14 at 13:50
  • We've been using Eclipse until today. We've now moved to Android Studio that forces you to use Java 7... so every release from now on would be like this? This doesn't make much sense... this would make Studio useless. – TacB0sS Nov 25 '14 at 14:11
  • @TacB0sS the OP did not mention anything about moving to android studio , eventhough , this assures the issue cause , is it really hard to try my solution and prove im wrong or right ? – ProllyGeek Nov 25 '14 at 14:18
  • @ProllyGeek Oh, I know he didn't, I was just replying to your comment after connecting the two dots while in the back of my head I know I must release tomorrow my first production apk using Android Studio... So one I'll produce that APK, I will test it as you have suggested! – TacB0sS Nov 25 '14 at 20:08
  • I desistalled Java 7/6, installed 6 and used jarsinger from java 6 to sign, then even used keytool from java 6 for new keystore: java 6 jarsigner does not give warnings on akp generated by it, however, when I tried to verify apk with jarsigner from java 8, same warnings were generated, so the point is not java 6 makes singed apk better than new 7/8, but new 7/8 give more details about result. – Alex Martian Mar 07 '16 at 07:04
3

Not actually a test to see if the apk is signed propably, but I feel this is usefull:

I got this problem a while ago, my solution: sign by hand.
Here is the script:

#!/bin/bash
storepass="your store pass"
keypass="your key pass"
alias="alias"
if [ $# -lt 1 ]; then
    echo "$0 <apk file>"
    exit 1;
fi

filename=$(basename "$1")
extension="${filename##*.}"
filename="${filename%.*}"


if [ $extension != "apk" ]; then
    echo "Inputfile is no apk!"
    exit 1;
fi

cp $filename.apk $filename-tmp.apk
zip -d $filename-tmp.apk "META-INF*"
rm -rf $filename-signed.apk
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore $keystore -storepass $storepass -keypass $keypass $filename-tmp.apk $alias
/Developer/android-sdk-macosx/build-tools/20.0.0/zipalign -f -v 4 $filename-tmp.apk $filename-signed.apk
rm -rf $filename-tmp.apk

You might need to update for your settings. I have tested it with Multiple devices (Galaxy Note 10.5, Samsung Galaxy S3, S5, Nexus 4, Lenovo Tab)
Seems to work so far.

(Signed on Mac OSX)

Eun
  • 4,146
  • 5
  • 30
  • 51
  • 1
    Not really an answer to the question as posed, but I'm awarding the bounty because it's the best answer so far. – William Jockusch Nov 29 '14 at 11:27
  • I am getting this error after executing the above commnad "jarsigner: unable to sign jar: java.util.zip.ZipException: invalid entry compressed size (expected 4021 but got 4061 bytes)" What might be the issue ?? – KK_07k11A0585 Jan 30 '15 at 11:45
1

cordova build android --release

Before make sure to configure it: Create an ant.properties file in platforms/android/ with a keystore path and alias name:

key.store=/path/to/keystore/release_key_name.keystore key.alias=alias_name

You will be prompt for the password.

The APK will be created at platforms/android/ant-build/app_name-release.apk.

Source http://ilee.co.uk/Sign-Releases-with-Cordova-Android/

Denis Besic
  • 3,067
  • 3
  • 24
  • 35
1

how to detect before submission whether the problem is going to occur or not

If you run jarsigner -verify -verbose -certs myapk.apk before you submit your build and you don't get any warnings like you are seeing, then the problem is not going to occur.

For what it is worth, on OSX I avoid this issue by temporarily switching to Java 6 just for the release build:

sudo cp -R /System/Library/Java/JavaVirtualMachines/1.6.0.jdk /Library/Java/JavaVirtualMachines/1.6.0.jdk
sudo mv /Library/Java/JavaVirtualMachines/jdk1.8.0_31.jdk ~/Desktop/jdk1.8.0_31.jdk
java -version   // shows java version "1.6.0_65" yay!!

Do my build without the certificate and timestamped errors. And revert back to Java 8:

sudo mv ~/Desktop/jdk1.8.0_31.jdk /Library/Java/JavaVirtualMachines/jdk1.8.0_31.jdk
Jannie Theunissen
  • 28,256
  • 21
  • 100
  • 127
0

please use eclipse proguard for that matter and replace your proguard.cfg content with that: (note that if you are using android studio you can import the project to eclipse using import)

-optimizationpasses 5
-dontusemixedcaseclassnames
-dontskipnonpubliclibraryclasses
-dontskipnonpubliclibraryclassmembers
-dontpreverify
-dontshrink
-verbose

-injars bin/classes
-injars libs
-outjars bin/classes-processed.jar

-dontwarn org.apache.**
-dontwarn org.slf4j.**
-dontwarn org.json.*
-dontwarn org.mortbay.**
-dontwarn org.apache.log4j.**
-dontwarn org.apache.commons.logging.**
-dontwarn org.apache.commons.logging.**
-dontwarn org.apache.commons.codec.binary.**
-dontwarn javax.xml.**
-dontwarn javax.management.**
-dontwarn java.lang.management.**
-dontwarn android.support.**
-dontwarn com.google.code.**
-dontwarn oauth.signpost.**
-dontwarn twitter4j.**

-optimizations !code/simplification/arithmetic,!field/*,!class/merging/*

-keep public class * extends android.app.Activity
-keep public class * extends android.app.Application
-keep public class * extends android.app.Service
-keep public class * extends android.content.BroadcastReceiver
-keep public class * extends android.content.ContentProvider
-keep public class * extends android.app.backup.BackupAgentHelper
-keep public class * extends android.preference.Preference
-keep public class com.android.vending.licensing.ILicensingService
-keep public class com.google.code.linkedinapi.**

-keep class javax.**  { *; }
-keep class org.**  { *; }
-keep class java.lang.management.**  { *; }

# use the keep command in that format for your third party libraries

-keepclassmembers public class com.google.code.linkedinapi.client.impl.LinkedInApiXppClient {
     public <init>(java.lang.String, java.lang.String);
}

-keepclasseswithmembernames class * {
    native <methods>;
}

-keepclasseswithmembernames class * {
    public <init>(android.content.Context, android.util.AttributeSet);
}

-keepclasseswithmembernames class * {
    public <init>(android.content.Context, android.util.AttributeSet, int);
}

-keepclassmembers enum * {
    public static **[] values();
    public static ** valueOf(java.lang.String);
}

-keep class * implements android.os.Parcelable {
  public static final android.os.Parcelable$Creator *;
}
ymz
  • 6,602
  • 1
  • 20
  • 39
-1

This is a JAVA tooling problem. This occurs frequently with mixing JDK and JRE tools on the system.You do not use the tools from Java 7. Only use the tools from JDK 6.

Optionally, we can stop wasting more time by pasting the output from the following so that we both feel having actually done something:

which jar signer

jarsigner -verify -verbose -certs yourJar.jar

Please go through this for more details

KhalodaRK84
  • 85
  • 2
  • 14
Neenu
  • 6,848
  • 2
  • 28
  • 54
  • i guess you have copied answer mentioned here http://developer.appcelerator.com/question/146110 , and no this is not the issue, the OP has already ran jar signer and you can check output log. – ProllyGeek Nov 26 '14 at 05:19