Code signing an Android application

iOS requires signing certificates and provisioning profiles for development and distribution. Android simply requires an app to be signed only when it’s ready to be published to the Google Play Store.

Prior to releasing for Google Play, we can publish a debug (non-signed) version of the app to your Android device(s) for testing. Compared to the different iOS configuration and set-up requirements, this does make life a lot easier as a developer.

Signing Android applications is quite simple, though, and involves working with either of the following tools:

  • Keystore command-line utility
  • Android Studio

We’ll explore each of the above tools, starting with the command-line-based Keystore utility, a free software tool included with the system JDK, which is used to manage cryptographic keys and trusted certificates.

Code signing an Ionic Cordova app

In the terminal, navigate to the root of app directory and issue the following command (replacing app-name with the name of app and alias_name with a suitable alias for the Keystore file):

keytool -genkey -v -keystore app-name-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

When the above command is run, we will be prompted to create a password for the Keystore and then answer a series of questions before the file is finally created.

When this process has been completed, the generated Keystore file will be saved in the root directory of our app.

Remember: For future reference, it would be wise to save the Keystore file to another location outside of the project. Do not lose this Keystore file because you won’t be able to make updates to the Android app if you do.

We definitely do not want this file to be added or made available to version control, as this would present a huge security risk. It also shouldn’t be in the published IPA/APK binaries for our apps that are distributed via the Apple and Google Play App stores or via ad-hoc distribution.

If someone were to reverse-engineer the code for those binaries, they would gain access to the Keystore if it were present in the codebase, which is not good! Remember, a good developer is a security-conscious developer!

If you’ve tried running the above command and are experiencing problems, please refer to this Android installation guide to make sure that the necessary software is installed on your environment and system paths are correctly configured (this is hugely important, so don’t overlook this).

Signing your Android app

There should now be a Keystore file residing in the root directory of your project. In order to sign the Android app, we’ll first need to generate a build file with the following terminal command (add the --prod flag for Ahead-of-Time compiling):

ionic cordova build android --prod --release

Once successfully completed, this will generate an unsigned APK file, based on the values we entered in the config.xml file, located in the platforms/android/build/outputs/apk/ directory.

To sign this unsigned APK file, we’ll need to run the jarsigner utility (another tool included with the JDK installation on the system), which generates the necessary digital signature for the APK file based on the information contained within the Keystore. From the terminal, issue the following command:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore app-name- release-key.keystore nameOfYourApp-release-unsigned.apk alias_name

Remember: Be sure to change the following from the above command to match the values on your system:

  • The app-name-release-key.keystore command should changed to the name of the Keystore file that you generated earlier and, if required, prefix with any path to this file.
  • The nameOfYourApp-release-unsigned.apk command should change to the path or name of the unsigned APK file.
  • The alias_name command will be the alias used when generating the Keystore file.

Once we’ve generated the signed APK file, the last step will involve optimizing this using the zipalign tool (which will have been installed as part of Android Studio):

zipalign -v 4 nameOfYourApp-release-unsigned.apk nameOfYourApp.apk

Like before, change the following to match the values of the project. Don’t forget to prefix with the path to each file:

  • nameOfYourApp-release-unsigned.apk
  • nameOfYourApp.apk

Once completed, we should find the signed and optimized APK file (nameOfYourApp.apk) located in the platforms/android/build/outputs/apk/ directory.

Now the Android app is signed and ready for submission to the Google Play Store!

Code-signing an Ionic Capacitor app

If the command-line approach feels a little cumbersome (and there are many front-end and mobile developers who do), then Android Studio allows us to code-sign the applications with “relative” ease.

We say “relative” because Android Studio can be quite buggy in terms of not always behaving correctly, only to work ten minutes later after trying any one or a combination of the following solutions:

  • Invalidating caches
  • Syncing the project gradle
  • Cleaning and rebuilding a project
  • Restarting the software program

It’s a mystery why Android Studio can be so unpredictable, but if any potential issues are encountered over the course of this lesson, please visit the Troubleshooting Your Ionic App lesson for possible fixes and workarounds.

Running an Ionic build

Before we can code sign an Ionic/Capacitor built Android app, we’ll need to run an Ionic build process, copy the assets to your Android directory, and subsequently open the project within Android Studio using the following commands:

ionic build
npx cap copy
npx cap open android

Our project should now be open within Android Studio.

Before publishing an Ionic/Capacitor project, always select the launched project’s AndroidManifest.xml file (app/src/main/AndroidManifest.xml) to double-check that the application’s package name and label are configured correctly and that all of the application plugin permissions are in place.

The values contained within this file should be correctly configured by default, but it never hurts to go over these with a critical eye just to ensure that nothing is missing – especially where plugin permissions are concerned.

Within Android Studio, this file is displayed like so:

Get hands-on with 1200+ tech skills courses.