Androig APK Signing

Mateusz_Galazka · October 17, 2018, 8:51am

I’m signing APK with jarsigner, and there is a warning

jarsigner> No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate’s expiration date or after any future revocation date.

How to add timestamp?

In commandline there is an option -tsa http://timestamp.digicert.com for DigiCert code signing certificate. Can’t see the optin in Water and VS - can’t add URL for timestamp server.

mh · October 17, 2018, 12:17pm

Hmm, are you manually signing this, or letting EBuild do it? I’ve never seen this warning, when EBuild signs my app…

Mateusz_Galazka · October 23, 2018, 9:11am

Signing as a build step

mh · October 23, 2018, 11:28am

Curious. can you set the build log level to Diagnostic, do a “rebuild” and send me the log.

Mateusz_Galazka · October 23, 2018, 6:48pm

→ Task CodeSign started for inprax.firma, Cooper-Android.
D: Ignoring outdated cached data for JavaSign (2018-10-23 >= 2018-10-17)
D: “C:\Program Files (x86)\Java\jdk1.8.0_161\bin\jarsigner.exe” -keystore C:\Projekty\Android\projekty\instalacje\inprax.instalacje\CertyfikatCS.jks -storepass ******** -keypass ****** “C:\Users\LHeczko\AppData\Local\RemObjects Software\EBuild\Obj\inprax.firma-27345FE9C3FA2DDC98492A9964018BB410932B5A\Debug\Cooper-Android\inprax.firma_step3.apk” te-fef8ef8e-4149-4f65-8499-316df75c64ab -digestalg SHA1 -sigalg SHA1withRSA
jarsigner> jar signed.
W: jarsigner:
jarsigner> No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate’s expiration date (2019-10-21) or after any future revocation date.
D: C:\AndroidSDK\build-tools\27.0.1\zipalign.exe -f -v 4 “C:\Users\LHeczko\AppData\Local\RemObjects Software\EBuild\Obj\inprax.firma-27345FE9C3FA2DDC98492A9964018BB410932B5A\Debug\Cooper-Android\inprax.firma_step3.apk” “C:\Users\LHeczko\AppData\Local\RemObjects Software\EBuild\Obj\inprax.firma-27345FE9C3FA2DDC98492A9964018BB410932B5A\Debug\Cooper-Android\inprax.firma.apk”

Will it be enogh or paste whole buildlog?

Mateusz_Galazka · October 23, 2018, 6:50pm

The same using commandline, but in cmd I can add -tsa http://timestamp.digicert.com

Mateusz_Galazka · October 23, 2018, 6:57pm

Whole build log sent in PM

mh · October 24, 2018, 1:55pm

Fixed; added a project setting, and it defaults to http://timestamp.digicert.com when not set.

Mateusz_Galazka · October 25, 2018, 6:04am

Yesterday I’ve been talking with DigiCert help, because our app with new certificate can’t install due to Google Play Protect, and there is what he had written
Android doesn’t require a CA signed cert for code signing to be valid. In order to get it to work, you need to have your private key set for ~25 years. It’s quite difficult to get that to work right. I would highly recommend using a self signed cert for Android APK signing.
Certificate from CA do not work, but self signed will work - it’s Android and Android’s safety… No comments for Google…

mh · October 25, 2018, 1:15pm

oh, so you had. purchased cert from digicert.com?

im guessing http://timestamp.digicert.com should probably not be the default for everyone then. I’ll keep the option, but make it off by default.