Difference between signature versions - V1 Jar Signature and V2 Full APK Signature while generating a signed APK in Android Studio

Question

Please select at least one of the signature versions to use in Android Studio 2 3  Now while generating a signed APK in Android Studio  it s showing two options  CheckBox  namely 1  V1  Jar Signature  and 2  V2  Full APK Signature  as Signature Versions in the last step of signed APK generating process     So  what is the difference between V1  Jar Signature  and V2  Full APK Signature  in the new Android Studio update   And which should I use  or both  for signing apk for play store release   Also  I m getting error Install Parse Failed No Certificates while installing APK when I use the second option

User · Answer

Should I use or both  for signing apk for play store release  An answer is YES    As per https   source android com security apksigning v2 html verification       In Android 7 0  APKs can be verified according to the APK Signature Scheme v2  v2 scheme  or JAR signing  v1 scheme   Older platforms ignore v2 signatures and only verify v1 signatures    I tried to generate build with checking V2 Full Apk Signature  option  Then when I tried to install a release build in below 7 0 device and I am unable to install build in the device   After that I tried to build by checking both version checkbox and generate release build  Then able to install build

User · Answer

According to this link  signature help  APK Signature Scheme v2 offers    Faster app install times More protection against unauthorized alterations to APK files       Android 7 0 introduces APK Signature Scheme v2  a new app-signing   scheme that offers faster app install times and more protection   against unauthorized alterations to APK files  By default  Android   Studio 2 2 and the Android Plugin for Gradle 2 2 sign your app using   both APK Signature Scheme v2 and the traditional signing scheme  which   uses JAR signing    It is recommended to use APK Signature Scheme v2 but is not mandatory      Although we recommend applying APK Signature Scheme v2 to your app    this new scheme is not mandatory  If your app doesn t build properly   when using APK Signature Scheme v2  you can disable the new scheme

User · Answer

I think this represents a good answer   APK Signature Scheme v2 verification   Locate the APK Signing Block and verify that    Two size fields of APK Signing Block contain the same value  ZIP Central Directory is immediately followed by ZIP End of Central Directory record  ZIP End of Central Directory is not followed by more data   Locate the first APK Signature Scheme v2 Block inside the APK Signing Block  If the v2 Block if present  proceed to step 3  Otherwise  fall back to verifying the APK using v1 scheme  For each signer in the APK Signature Scheme v2 Block    Choose the strongest supported signature algorithm ID from signatures  The strength ordering is up to each implementation platform version  Verify the corresponding signature from signatures against signed data using public key   It is now safe to parse signed data   Verify that the ordered list of signature algorithm IDs in digests and signatures is identical   This is to prevent signature stripping addition   Compute the digest of APK contents using the same digest algorithm as the digest algorithm used by the signature algorithm  Verify that the computed digest is identical to the corresponding digest from digests  Verify that SubjectPublicKeyInfo of the first certificate of certificates is identical to public key   Verification succeeds if at least one signer was found and step 3 succeeded for each found signer    Note  APK must not be verified using the v1 scheme if a failure occurs in step 3 or 4   JAR-signed APK verification  v1 scheme   The JAR-signed APK is a standard signed JAR  which must contain exactly the entries listed in META-INF MANIFEST MF and where all entries must be signed by the same set of signers  Its integrity is verified as follows    Each signer is represented by a META-INF  lt signer gt  SF and META-INF  lt signer gt   RSA DSA EC  JAR entry   lt signer gt   RSA DSA EC  is a PKCS  7 CMS ContentInfo with SignedData structure whose signature is verified over the  lt signer gt  SF file   lt signer gt  SF file contains a whole-file digest of the META-INF MANIFEST MF and digests of each section of META-INF MANIFEST MF  The whole-file digest of the MANIFEST MF is verified  If that fails  the digest of each MANIFEST MF section is verified instead  META-INF MANIFEST MF contains  for each integrity-protected JAR entry  a correspondingly named section containing the digest of the entry   s uncompressed contents  All these digests are verified  APK verification fails if the APK contains JAR entries which are not listed in the MANIFEST MF and are not part of JAR signature  The protection chain is thus  lt signer gt   RSA DSA EC     lt signer gt  SF   MANIFEST MF   contents of each integrity-protected JAR entry

User · Answer

It is written here that  By default  Android Studio 2 2 and the Android Plugin for Gradle 2 2 sign your app using both APK Signature Scheme v2 and the traditional signing scheme  which uses JAR signing     As it seems that these new checkboxes appeared with Android 2 3  I understand that my previous versions of Android Studio  at least the 2 2  did sign with both signatures  So  to continue as I did before  I think that it is better to check both checkboxes   EDIT March 31st  2017   submitted several apps with both signatures    no problem

User · Answer

It is a new signing mechanism introduced in Android 7 0  with additional features designed to make the APK signature more secure  It is not mandatory  You should check BOTH of those checkboxes if possible  but if the new V2 signing mechanism gives you problems  you can omit it  So you can just leave V2 unchecked if you encounter problems  but should have it checked if possible  UPDATED  This is now mandatory when targeting Android 11

[android] Difference between signature versions - V1 (Jar Signature) and V2 (Full APK Signature) while generating a signed APK in Android Studio?

Examples related to android

Examples related to android-studio

Examples related to apk

Examples related to signature

Examples related to signing