15.04.2020

Linux Cli Generate Android App Signing Key

Linux Cli Generate Android App Signing Key 6,1/10 7603 votes

Linux Cli Generate Android App Signing Key Is Working
Linux Cli Generate Android App Signing Keyboard
Android App For Pc
Linux Cli Generate Android App Signing Key Is Free
Android App Download

Keytool will quickly generate a public/private key pair and store them in a keystore for you after you answer a few simple questions. Keytool has a number of commands. The most common command used for signing Android builds -genkeypair, commonly abbreviated -genkey. The other commands may be useful to you, but uncommonly so. Again, there are lots of options for this keytool command. To generate the key, use a KeyPairGenerator with KeyPairGeneratorSpec: /. Generate a new EC key pair entry in the Android Keystore by. using the KeyPairGenerator API. The private key can only be. used for signing or verification and only with SHA-256 or. SHA-512 as the message digest. Generate Key Store File using Cordova CLI: Generating key file is important to sign an APK file. This article explains how to generate key file to sign the APK file with simple steps. Run “GIT CMD” Prompt. Go to “C: Program Files Java jre7 bin” and make sure “keytool.exe” is present. If your using the CLI for dev purposes just use phonegap build android -debug -device. Your don't need to worry about any signing identity issues this way. For release builds use the other method you were using build -release. After a release build you need to sign the android-release-unsigned.apk before it can be put on a device.

do not wish to use Google Authenticator or Authy app that generates 2 step verification (2FA) codes on my iOS/Android phone. Is there any way I can produce 2FA codes from Linux command line for popular sites such as Gmail, Twitter, Facebook, Amazon and more?
The mobile apps generate secure 2 step verification codes to protect your online accounts from hackers. You get an additional layer of security. In addition to your password, you need to input 2FA codes for each login. This page explains how to use oathtool OTPs (one-time password) on Linux to secure your Gmail and other online accounts. Instead of waiting for text messages, get verification codes for free from the oathtool Linux command.

How to install oathtool Linux command line tool

oathtool is a command line tool for generating and validating OTPs and gpg2 is an OpenPGP encryption and signing tool for encrypting private keys used by oathtool. Type the commands as per your Linux distro to install the same.

Fedora Linux install oathtool

Open the terminal application and type the following dnf command:
$ sudo dnf install oathtool gnupg2

CentOS Linux/RHEL install oathtool

First enable EPEL repo on RHEL or CentOS 7 and run the following yum command:
$ sudo yum install oathtool gnupg2

Debian/Ubuntu Linux install oathtool

Simply use the apt command or apt-get command to install the same:
$ sudo apt update $ sudo apt upgrade $ sudo apt install oathtool gnupg2

SUSE/OpenSUSE Linux install oathtool

Simply run the following [nixcmd name=”zypper”:
$ sudo zypper ref $ sudo zypper in oath-toolkit gpg2

Linux 2 step verification (2FA) using oathtool

The syntax to generate totp is as follows:
oathtool -b --totp 'private_key'
Typically private_key only displayed once when you enable 2FA with online services such as Google/Gmail, Twitter, Facebook, Amazon, PayPal, Bank accounts and so on. You must keep private_key secrete and never share with anyone. Here is a sample session that creates code for my Twitter account.
$ oathtool -b --totp 'N3V3R G0nn4 G1v3 Y0u Up'
Sample outputs:

How to generate Two-Factor authentication code from your Linux CLI

Generate a new key pair for encryption if you don’t have a gpg key, run:
$ gpg2 --full-gen-key
Next, create some directories and helper scripts:
$ mkdir ~/.2fa/ $ cd ~/.2fa/
You can list GPG keys including GnuPG user id and key id, run:
$ gpg --list-secret-keys --keyid-format LONG

Shell script helper script to encrypt the totp secret (keys)

Create a shell script named encrypt.key.sh:

Shell script helper script to decrypt the totp secret and generate 2FA code

Create a shell script named decrypt.key.sh:

2FA using oathtool in the Linux command line for Gmail account

Let us see a complete example for Google/Gmail account. To enable 2FA visit and login:
https://www.google.com/landing/2step/
Visit 2-Step Verification > Get Started:
You may have to verify your mobile phone number. Once verified, scroll down and choose Authenticator app:
What kind of phone do you have? Choose iPhone or Android as we are going to use our CLI app and click Next:
Make sure you click on “CAN’T SCAN IT” to see totp secret key and copy it:
Cd into ~/.2fa/ directory and run the following commands:
cd ~/.2fa/ ### Step 1. create service directory ### ### vivek@gmail.com also act as service name for encrypt.key.sh ### mkdir vivek@gmail.com ### Step 2. Store totp secret key ### echo -n 'hilp zs6i c5qu bx7z akiz q75e wk5z z66b' > ~/.2fa/vivek@gmail.com/.key
Encrypt the totp secret key file named ~/.2fa/vivek@gmail.com/.key with gpg and password protect it for security and privacy reasons using our encrypt.key.sh helper script:
### Step 3. Secure totp secret key for service named vivek@gmail.com ### ./encrypt.key.sh vivek@gmail.com
Finally click on the Next button:
It is time to create your first 6-digit code using oathtool command. However, we automated this process using decrypt.key.sh shell script that decrypts the totp secret and generates the 6-digit 2FA code. Simply run:
./decrypt.key.sh vivek@gmail.com
You need to type the gpg passphrase to unlock the secrete key for service named vivek@gmail.com:
Finally you will see the 6-digit code as follows on screen:
Withing 30 seconds you need to type the 330197 code and click on the verify button:
And you are done:

How to add another service

The syntax is pretty simple:

Log in to online service such as Twitter, Facebook, Bank account and look for Authenticator 2FA app. For example, let us set up Twitter account 2FA using Linux command line app.
Copy the totp secret from Twitter account.
Create a new service directory: mkdir ~/.2fa/twitter.com/
Make a new .key file: echo -n 'your-twitter-totp-secret-key' > ~/.2fa/twitter.com/.key
Generate a new PGP encrypted file for security and privacy reasons: ~/.2fa/encrypt.key.sh twitter.com
Decrypts the totp secret and generates the 6-digit 2FA code when you need to log in into Twitter: ~/.2fa/decrypt.key.sh twitter.com

You can repeat the above process for any services that display the totp secret along with QR code.

Conclusion

The main advantage of Linux command line is that you can easily backup your ~/.2fa/ directory and keys. Your totp secrets/keys are always encrypted and password protected by gpg2. Mobile apps such as Google Authenticator usually do not allow you to sync or copy secrets/keys for security reasons. So if you lost phone or switch phone, you wouldn’t be able to login into the account. This set up is simple and easy to backup/restore as long as you remember your gpg2 passphrase. I strongly recommend that you enable full disk encryption (FDE) too. Next time I will show you how to use GUI apps for the same purpose. See oathtool man page for more information here.

Quickview

All Android apps must be signed
You can sign with a self-signed key
How you sign your apps is critical — read this document carefully
Determine your signing strategy early in the development process

In this document

Signing Release Mode

Signing Process

The Android build process signs your application differently depending on which build mode youuse to build your application. There are two build modes: debug mode and releasemode. You use debug mode when you are developing and testing your application. You userelease mode when you want to build a release version of your application that you candistribute directly to users or publish on an application marketplace such as Google Play.

When you build in debug mode the Android SDK build tools use the Keytool utility(included in the JDK) to create a debug key. Because the SDK build tools created the debug key,they know the debug key's alias and password. Each time you compile your application in debug mode,the build tools use the debug key along with the Jarsigner utility (also included in the JDK) tosign your application's .apk file. Because the alias and password are known to the SDKbuild tools, the tools don't need to prompt you for the debug key's alias and password each timeyou compile.

When you build in release mode you use your own private key to sign your application. Ifyou don't have a private key, you can use the Keytool utility to create one for you. When youcompile your application in release mode, the build tools use your private key along with theJarsigner utility to sign your application's .apk file. Because the certificate andprivate key you use are your own, you will have to provide the password for the keystore and keyalias.

The debug signing process happens automatically when you run or debug your application usingEclipse with the ADT plugin. Debug signing also happens automatically when you use the Ant buildscript with the debug option. You can automate the release signing process by using theEclipse Export Wizard or by modifying the Ant build script and building with therelease option.

Signing Strategies

Some aspects of application signing may affect how you approach the developmentof your application, especially if you are planning to release multipleapplications.

In general, the recommended strategy for all developers is to signall of your applications with the same certificate, throughout the expectedlifespan of your applications. There are several reasons why you should do so:

Application upgrade – As you release updates to your application, youwill want to continue to sign the updates with the same certificate or set ofcertificates, if you want users to upgrade seamlessly to the new version. Whenthe system is installing an update to an application, it compares thecertificate(s) in the new version with those in the existing version. If thecertificates match exactly, including both the certificate data and order, thenthe system allows the update. If you sign the new version without using matchingcertificates, you will also need to assign a different package name to theapplication — in this case, the user installs the new version as acompletely new application.
Application modularity – The Android system allows applications thatare signed by the same certificate to run in the same process, if theapplications so requests, so that the system treats them as a single application.In this way you can deploy your application in modules, and users can updateeach of the modules independently if needed.
Code/data sharing through permissions – The Android system providessignature-based permissions enforcement, so that an application can exposefunctionality to another application that is signed with a specifiedcertificate. By signing multiple applications with the same certificate andusing signature-based permissions checks, your applications can share code anddata in a secure manner.

Another important consideration in determining your signing strategy ishow to set the validity period of the key that you will use to sign yourapplications.

If you plan to support upgrades for a single application, you should ensurethat your key has a validity period that exceeds the expected lifespan ofthat application. A validity period of 25 years or more is recommended.When your key's validity period expires, users will no longer beable to seamlessly upgrade to new versions of your application.
If you will sign multiple distinct applications with the same key,you should ensure that your key's validity period exceeds the expectedlifespan of all versions of all of the applications, includingdependent applications that may be added to the suite in the future.
If you plan to publish your application(s) on Google Play, thekey you use to sign the application(s) must have a validity periodending after 22 October 2033. Google Play enforces this requirementto ensure that users can seamlessly upgrade applications whennew versions are available.

As you design your application, keep these points in mind and make sure touse a suitable certificate to sign your applications.

Basic Setup for Signing

Before you begin, make sure that the Keytool utility and Jarsigner utility are available tothe SDK build tools. Both of these tools are available in the JDK. In most cases, you can tellthe SDK build tools how to find these utilities by setting your JAVA_HOME environmentvariable so it references a suitable JDK. Alternatively, you can add the JDK version of Keytool andJarsigner to your PATH variable.

If you are developing on a version of Linux that originally came with GNU Compiler forJava, make sure that the system is using the JDK version of Keytool, rather than the gcjversion. If Keytool is already in your PATH, it might be pointing to a symlink at/usr/bin/keytool. In this case, check the symlink target to be sure it pointsto the Keytool in the JDK.

Signing in Debug Mode

The Android build tools provide a debug signing mode that makes it easier for youto develop and debug your application, while still meeting the Android systemrequirement for signing your APK.When using debug mode to build your app, the SDK tools invoke Keytool to automatically createa debug keystore and key. This debug key is then used to automatically sign the APK, soyou do not need to sign the package with your own key.

The SDK tools create the debug keystore/key with predetermined names/passwords:

Keystore name: 'debug.keystore'
Keystore password: 'android'
Key alias: 'androiddebugkey'
Key password: 'android'
CN: 'CN=Android Debug,O=Android,C=US'

If necessary, you can change the location/name of the debug keystore/key orsupply a custom debug keystore/key to use. However, any custom debugkeystore/key must use the same keystore/key names and passwords as the defaultdebug key (as described above). (To do so in Eclipse/ADT, go toWindows > Preferences >Android > Build.)

Caution: You cannot release your applicationto the public when signed with the debug certificate.

Eclipse Users

If you are developing in Eclipse/ADT (and have set up Keytool and Jarsigner as described above inBasic Setup for Signing),signing in debug mode is enabled by default. When you run or debug yourapplication, ADT signs the .apk file with the debug certificate, runs zipalign onthe package, then installs it onthe selected emulator or connected device. No specific action on your part is needed,provided ADT has access to Keytool.

Ant Users

If you are using Ant to build your .apk file, debug signing modeis enabled by using the debug option with the ant command(assuming that you are using a build.xml file generated by theandroid tool). When you run ant debug tocompile your app, the build script generates a keystore/key and signs the APK for you.The script then also aligns the APK with the zipalign tool.No other action on your part is needed. ReadBuilding and Running Appson the Command Line for more information.

Expiry of the Debug Certificate

The self-signed certificate used to sign your application in debug mode (the default onEclipse/ADT and Ant builds) will have an expiration date of 365 days from its creation date.

When the certificate expires, you will get a build error. On Ant builds, the errorlooks like this:

In Eclipse/ADT, you will see a similar error in the Android console.

Linux Cli Generate Android App Signing Key Is Working

To fix this problem, simply delete the debug.keystore file.The default storage location for AVDs is in ~/.android/ on OS X and Linux,in C:Documents and Settings<user>.android on Windows XP, and inC:Users<user>.android on Windows Vista and Windows 7.

The next time you build, the build tools will regenerate a new keystore and debug key.

Note that, if your development machine is using a non-Gregorian locale, the buildtools may erroneously generate an already-expired debug certificate, so that you get anerror when trying to compile your application. For workaround information, see thetroubleshooting topic I can't compile my app because the build tools generated an expired debugcertificate.

Signing in Release Mode

Linux Cli Generate Android App Signing Keyboard

When your application is ready for release to other users, you must:

If you are developing in Eclipse with the ADT plugin, you can use the Export Wizardto perform the compile, sign, and align procedures. The Export Wizard even allows you togenerate a new keystore and private key in the process. So if you use Eclipse, you canskip to Compile and sign with Eclipse ADT.

1. Obtain a suitable private key

In preparation for signing your application, you must first ensure thatyou have a suitable private key with which to sign. A suitable privatekey is one that:

Is in your possession
Represents the personal, corporate, or organizational entity to be identifiedwith the application
Has a validity period that exceeds the expected lifespan of the applicationor application suite. A validity period of more than 25 years is recommended.
If you plan to publish your application(s) on Google Play, note that avalidity period ending after 22 October 2033 is a requirement. You can not upload anapplication if it is signed with a key whose validity expires before that date.
Is not the debug key generated by the Android SDK tools.

The key may be self-signed. If you do not have a suitable key, you mustgenerate one using Keytool. Make sure that you have Keytool available, as describedin Basic Setup.

To generate a self-signed key with Keytool, use the keytoolcommand and pass any of the options listed below (and any others, asneeded).

Warning: Keep your private key secure.Before you run Keytool, make sure to readSecuring Your Private Key for a discussion of how to keepyour key secure and why doing so is critically important to you and to users. Inparticular, when you are generating your key, you should select strong passwordsfor both the keystore and key.

Keytool Option	Description
`-genkey`	Generate a key pair (public and privatekeys)
`-v`	Enable verbose output.
`-alias <alias_name>`	An alias for the key. Onlythe first 8 characters of the alias are used.
`-keyalg <alg>`	The encryption algorithm to usewhen generating the key. Both DSA and RSA are supported.
`-keysize <size>`	The size of each generated key(bits). If not supplied, Keytool uses a default key size of 1024 bits. Ingeneral, we recommend using a key size of 2048 bits or higher.
`-dname <name>`	A Distinguished Name that describeswho created the key. The value is used as the issuer and subject fields in theself-signed certificate. Note that you do not need to specify this optionin the command line. If not supplied, Jarsigner prompts you to enter eachof the Distinguished Name fields (CN, OU, and so on).
`-keypass <password>`	The password for thekey. As a security precaution, do not include this option in your commandline. If not supplied, Keytool prompts you to enter the password. In this way,your password is not stored in your shell history. If they recognize that you apply an invalid of unauthorized Windows 7 product key generator on your Computer, they can exit the subscription as well as your Windows 7 asks for the product key or certification again. Windows 7 starter upgrade price. Windows 7 Product Key Generator is fixed the most favorite operating system because of its excellent feature-wealthy environment, impressive start menu and most importantly its user-friendly interface, which makes it unique Windows operating system out there.It’s coded in a safe and secures new way so that it cannot be discovered through the authorized developer referred to like Microsoft. That could be a more difficult factor for you and much waste of time too. You may be in trouble for yours. But don’t worry whatsoever for those who have downloaded the Windows 7 Key I’m brief this main page.However, its product unknown is somewhat pricey, and for those who have discarded it, you’ll have to achieve it again from the official real Microsoft store.
`-validity <valdays>`	The validity period for thekey, in days. Note: A value of 10000 or greater is recommended.
`-keystore <keystore-name>.keystore`	A namefor the keystore containing the private key.
`-storepass <password>`	A password for thekeystore. As a security precaution, do not include this option in yourcommand line. If not supplied, Keytool prompts you to enter the password. Inthis way, your password is not stored in your shell history.

Here's an example of a Keytool command that generates a private key:

Running the example command above, Keytool prompts you to providepasswords for the keystore and key, and to provide the DistinguishedName fields for your key. It then generates the keystore as a file calledmy-release-key.keystore. The keystore and key areprotected by the passwords you entered. The keystore containsa single key, valid for 10000 days. The alias is a name that you —will use later, to refer to this keystore when signing your application.

For more information about Keytool, see the documentation athttp://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html

2. Compile the application in release mode

In order to release your application to users, you must compile it in release mode.In release mode, the compiled application is not signed by default and you will needto sign it with your private key.

Caution:You can not release your application unsigned, or signed with the debug key.

With Eclipse

To export an unsigned APK from Eclipse, right-click the project in the PackageExplorer and select Android Tools >Export Unsigned ApplicationPackage. Then specify the file location for the unsigned APK.(Alternatively, open your AndroidManifest.xml file in Eclipse, selectthe Manifest tab, and click Export an unsigned APK.)

Note that you can combine the compiling and signing steps with the Export Wizard. SeeCompiling and signing with Eclipse ADT.

With Ant

If you are using Ant, you can enable release mode by using the release optionwith the ant command. For example, if you are running Ant from thedirectory containing your build.xml file, the command would look like this:

By default, the build script compiles the application APK without signing it. The output filein your project bin/ will be <your_project_name>-unsigned.apk.Because the application APK is still unsigned, you must manually sign it with your privatekey and then align it using zipalign.

However, the Ant build script can also perform the signingand aligning for you, if you have provided the path to your keystore and the name ofyour key alias in the project's ant.properties file. With this information provided,the build script will prompt you for your keystore and alias password when you performant release, it will sign the package and then align it. The final outputfile in bin/ will instead be<your_project_name>-release.apk. With these stepsautomated for you, you're able to skip the manual procedures below (steps 3 and 4).To learn how to specify your keystore and alias in the ant.properties file,see Building and Running Apps on the Command Line.

3. Sign your application with your private key

When you have an application package that is ready to be signed, you can do sign itusing the Jarsigner tool. Make sure that you have Jarsigner available on yourmachine, as described in Basic Setup. Also, make sure thatthe keystore containing your private key is available.

To sign your application, you run Jarsigner, referencing both theapplication's APK and the keystore containing the private key with which tosign the APK. The table below shows the options you could use.

Jarsigner Option	Description
`-keystore <keystore-name>.keystore`	The name ofthe keystore containing your private key.
`-verbose`	Enable verbose output.
`-sigalg`	The name of the signature algorithim to use in signing the APK.Use the value `MD5withRSA`.
`-digestalg`	The message digest algorithim to use in processing the entriesof an APK. Use the value `SHA1`.
`-storepass <password>`	The password for thekeystore. As a security precaution, do not include this optionin your command line unless you are working at a secure computer.If not supplied, Jarsigner prompts you to enter the password. In thisway, your password is not stored in your shell history.
`-keypass <password>`	The password for the privatekey. As a security precaution, do not include this optionin your command line unless you are working at a secure computer.If not supplied, Jarsigner prompts you to enter the password. In thisway, your password is not stored in your shell history.

Here's how you would use Jarsigner to sign an application package calledmy_application.apk, using the example keystore created above.

Running the example command above, Jarsigner prompts you to providepasswords for the keystore and key. It then modifies the APKin-place, meaning the APK is now signed. Note that you can sign anAPK multiple times with different keys.

Caution: As of JDK 7, the default signing algorithim haschanged, requiring you to specify the signature and digest algorithims (-sigalg and -digestalg) when you sign an APK.

To verify that your APK is signed, you can use a command like this:

If the APK is signed properly, Jarsigner prints 'jar verified'.If you want more details, you can try one of these commands:

Android App For Pc

The command above, with the -certs option added, will show you the'CN=' line that describes who created the key.

Note: If you see 'CN=Android Debug', this means the APK wassigned with the debug key generated by the Android SDK. If you intend to releaseyour application, you must sign it with your private key instead of the debugkey.

For more information about Jarsigner, see the documentation athttp://docs.oracle.com/javase/6/docs/technotes/tools/windows/jarsigner.html

4. Align the final APK package

Once you have signed the APK with your private key, run zipalign on the file.This tool ensures that all uncompressed data starts with a particular byte alignment,relative to the start of the file. Ensuring alignment at 4-byte boundaries providesa performance optimization when installed on a device. When aligned, the Androidsystem is able to read files with mmap(), even ifthey contain binary data with alignment restrictions, rather than copying allof the data from the package. The benefit is a reduction in the amount ofRAM consumed by the running application.

The zipalign tool is provided with the Android SDK, inside thetools/ directory. To align your signed APK, execute:

The -v flag turns on verbose output (optional). 4 is thebyte-alignment (don't use anything other than 4). The first file argument isyour signed .apk file (the input) and the second file is the destination .apk file(the output). If you're overriding an existing APK, add the -f flag.

Caution: Your input APK must be signed with yourprivate key before you optimize the package with zipalign.If you sign it after using zipalign, it will undo the alignment.

Linux Cli Generate Android App Signing Key Is Free

For more information, read about thezipalign tool.

Compile and sign with Eclipse ADT

If you are using Eclipse with the ADT plugin, you can use the Export Wizard toexport a signed APK (and even create a new keystore,if necessary). The Export Wizard performs all the interaction withthe Keytool and Jarsigner for you, which allows you to sign the package using a GUIinstead of performing the manual procedures to compile, sign,and align, as discussed above. Once the wizard has compiled and signed your package,it will also perfom package alignment with zipalign.Because the Export Wizard uses both Keytool and Jarsigner, you shouldensure that they are accessible on your computer, as described abovein the Basic Setup for Signing.

To create a signed and aligned APK in Eclipse:

Select the project in the PackageExplorer and select File > Export.
Open the Android folder, select Export Android Application, and click Next.
The Export Android Application wizard now starts, which will guide you through the process of signing your application, including steps for selecting the private key with which to sign the APK (or creating a new keystore and private key).
Complete the Export Wizard and your application will be compiled, signed, aligned, and ready for distribution.

Securing Your Private Key

Maintaining the security of your private key is of critical importance, bothto you and to the user. If you allow someone to use your key, or if you leaveyour keystore and passwords in an unsecured location such that a third-partycould find and use them, your authoring identity and the trust of the userare compromised.

If a third party should manage to take your key without your knowledge orpermission, that person could sign and distribute applications that maliciouslyreplace your authentic applications or corrupt them. Such a person could alsosign and distribute applications under your identity that attack otherapplications or the system itself, or corrupt or steal user data.

Your reputation as a developer entity depends on your securing your privatekey properly, at all times, until the key is expired. Here are some tips forkeeping your key secure:

Select strong passwords for the keystore and key.
When you generate your key with Keytool, do not supply the-storepass and -keypass options at the command line.If you do so, your passwords will be available in your shell history,which any user on your computer could access.
Similarly, when signing your applications with Jarsigner,do not supply the -storepass and -keypassoptions at the command line.
Do not give or lend anyone your private key, and do not let unauthorizedpersons know your keystore and key passwords.

Android App Download

In general, if you follow common-sense precautions when generating, using,and storing your key, it will remain secure.

6jc.netlify.com