SyntaxFix

[android] Difference between signature versions - V1 (Jar Signature) and V2 (Full APK Signature) while generating a signed APK in Android Studio?

Please select at least one of the signature versions to use in Android Studio 2.3

Now while generating a signed APK in Android Studio, it's showing two options (CheckBox) namely 1. V1 (Jar Signature) and 2. V2 (Full APK Signature) as Signature Versions in the last step of signed APK generating process.

**Signature Versions** options

So, what is the difference between V1 (Jar Signature) and V2 (Full APK Signature) in the new Android Studio update?

And which should I use (or both) for signing apk for play store release?

Also, I'm getting error Install Parse Failed No Certificates while installing APK when I use the second option.

This question is related to android android-studio apk signature signing

The answer is

It is written here that "By default, Android Studio 2.2 and the Android Plugin for Gradle 2.2 sign your app using both APK Signature Scheme v2 and the traditional signing scheme, which uses JAR signing."

As it seems that these new checkboxes appeared with Android 2.3, I understand that my previous versions of Android Studio (at least the 2.2) did sign with both signatures. So, to continue as I did before, I think that it is better to check both checkboxes.

EDIT March 31st, 2017 : submitted several apps with both signatures => no problem :)

I think this represents a good answer.

APK Signature Scheme v2 verification

  1. Locate the APK Signing Block and verify that:
    1. Two size fields of APK Signing Block contain the same value.
    2. ZIP Central Directory is immediately followed by ZIP End of Central Directory record.
    3. ZIP End of Central Directory is not followed by more data.
  2. Locate the first APK Signature Scheme v2 Block inside the APK Signing Block. If the v2 Block if present, proceed to step 3. Otherwise, fall back to verifying the APK using v1 scheme.
  3. For each signer in the APK Signature Scheme v2 Block:
    1. Choose the strongest supported signature algorithm ID from signatures. The strength ordering is up to each implementation/platform version.
    2. Verify the corresponding signature from signatures against signed data using public key. (It is now safe to parse signed data.)
    3. Verify that the ordered list of signature algorithm IDs in digests and signatures is identical. (This is to prevent signature stripping/addition.)
    4. Compute the digest of APK contents using the same digest algorithm as the digest algorithm used by the signature algorithm.
    5. Verify that the computed digest is identical to the corresponding digest from digests.
    6. Verify that SubjectPublicKeyInfo of the first certificate of certificates is identical to public key.
  4. Verification succeeds if at least one signer was found and step 3 succeeded for each found signer.

Note: APK must not be verified using the v1 scheme if a failure occurs in step 3 or 4.

JAR-signed APK verification (v1 scheme)

The JAR-signed APK is a standard signed JAR, which must contain exactly the entries listed in META-INF/MANIFEST.MF and where all entries must be signed by the same set of signers. Its integrity is verified as follows:

  1. Each signer is represented by a META-INF/<signer>.SF and META-INF/<signer>.(RSA|DSA|EC) JAR entry.
  2. <signer>.(RSA|DSA|EC) is a PKCS #7 CMS ContentInfo with SignedData structure whose signature is verified over the <signer>.SF file.
  3. <signer>.SF file contains a whole-file digest of the META-INF/MANIFEST.MF and digests of each section of META-INF/MANIFEST.MF. The whole-file digest of the MANIFEST.MF is verified. If that fails, the digest of each MANIFEST.MF section is verified instead.
  4. META-INF/MANIFEST.MF contains, for each integrity-protected JAR entry, a correspondingly named section containing the digest of the entry’s uncompressed contents. All these digests are verified.
  5. APK verification fails if the APK contains JAR entries which are not listed in the MANIFEST.MF and are not part of JAR signature. The protection chain is thus <signer>.(RSA|DSA|EC) ? <signer>.SF ? MANIFEST.MF ? contents of each integrity-protected JAR entry.

According to this link: signature help

APK Signature Scheme v2 offers:

  1. Faster app install times
  2. More protection against unauthorized alterations to APK files.

Android 7.0 introduces APK Signature Scheme v2, a new app-signing scheme that offers faster app install times and more protection against unauthorized alterations to APK files. By default, Android Studio 2.2 and the Android Plugin for Gradle 2.2 sign your app using both APK Signature Scheme v2 and the traditional signing scheme, which uses JAR signing.

It is recommended to use APK Signature Scheme v2 but is not mandatory.

Although we recommend applying APK Signature Scheme v2 to your app, this new scheme is not mandatory. If your app doesn't build properly when using APK Signature Scheme v2, you can disable the new scheme.

Should I use(or both) for signing apk for play store release? An answer is YES.

As per https://source.android.com/security/apksigning/v2.html#verification :

In Android 7.0, APKs can be verified according to the APK Signature Scheme v2 (v2 scheme) or JAR signing (v1 scheme). Older platforms ignore v2 signatures and only verify v1 signatures.

I tried to generate build with checking V2(Full Apk Signature) option. Then when I tried to install a release build in below 7.0 device and I am unable to install build in the device.

After that I tried to build by checking both version checkbox and generate release build. Then able to install build.

Source: Stackoverflow.com

Examples related to android

Under what circumstances can I call findViewById with an Options Menu / Action Bar item? How to implement a simple scenario the OO way My eclipse won't open, i download the bundle pack it keeps saying error log getting " (1) no such column: _id10 " error java doesn't run if structure inside of onclick listener Cannot retrieve string(s) from preferences (settings) strange error in my Animation Drawable how to put image in a bundle and pass it to another activity FragmentActivity to Fragment A failure occurred while executing com.android.build.gradle.internal.tasks

Examples related to android-studio

A failure occurred while executing com.android.build.gradle.internal.tasks "Failed to install the following Android SDK packages as some licences have not been accepted" error Android Gradle 5.0 Update:Cause: org.jetbrains.plugins.gradle.tooling.util This version of Android Studio cannot open this project, please retry with Android Studio 3.4 or newer WARNING: API 'variant.getJavaCompile()' is obsolete and has been replaced with 'variant.getJavaCompileProvider()' Flutter plugin not installed error;. When running flutter doctor ADB.exe is obsolete and has serious performance problems Android design support library for API 28 (P) not working Flutter command not found How to find the path of Flutter SDK

Examples related to apk

Application Installation Failed in Android Studio Difference between signature versions - V1 (Jar Signature) and V2 (Full APK Signature) while generating a signed APK in Android Studio? Session 'app': Error Installing APK Android Error Building Signed APK: keystore.jks not found for signing config 'externalOverride' Build and Install unsigned apk on device without the development server? The APK file does not exist on disk Android Studio: Application Installation Failed How to retrieve Key Alias and Key Password for signed APK in android studio(migrated from Eclipse) ADB Install Fails With INSTALL_FAILED_TEST_ONLY Upload failed You need to use a different version code for your APK because you already have one with version code 2

Examples related to signature

installation app blocked by play protect Difference between signature versions - V1 (Jar Signature) and V2 (Full APK Signature) while generating a signed APK in Android Studio?

Examples related to signing

Difference between signature versions - V1 (Jar Signature) and V2 (Full APK Signature) while generating a signed APK in Android Studio? How to retrieve Key Alias and Key Password for signed APK in android studio(migrated from Eclipse) How can I add private key to the distribution certificate? How to sign an android apk file What is the difference between encrypting and signing in asymmetric encryption?

Tags

Uielementcollection Rr Installscript Class Wscf Android-context Jquery-forms-plugin Structured-storage Google-doodle Rfcomm 68000 Dynamics-crm Secure-scl Informat Group-project Url-shortener Localization Specular Lightning Language-features Httpruntime Control-adapter Intellitrace Idictionary Ajdt Perlsyn Google-datatable Fsockopen Msf Jql Lead Microsoft-chart-controls Unity2.0 Uart Mod-jk Qtableview Appserver Integration Tivoli-identity-manager Eeepc Indices Smb Pack-uri Nsslider Single-sign-on Job-scheduling Cassini Google-spreadsheet-api Google-base Datacolumncollection Ilide Power-state Cross-platform Red-black-tree Justcode Spinning Twisted.words Guard Firebreath Autoload Translation-scheme Nscharacterset Confluence Asymmetric Vertex-buffer Netbeans-plugins Tlf Json-framework Twisted.web Infinite Jaxm Onvp8 Nerdtree Sysdatabases Weekday Foreground Nsblockoperation Conditional-attribute Map Abc Docking Oracleportal Logo-testing Mss Altivec Pixel-bender Finalbuilder Fast-app-switching Summary Table-structure Image-resizing System-requirements Xml-sitemap Indexed-properties Proj Assemblies Letters Array-algorithms Couchdb-futon Tobjectlist