Android Signing Issue on Windows

GeorgeGSGeorgeGS Member, PRO Posts: 478

We recently discovered an issue where Android games that were signed using a keystore created inside Windows creator may have an issue installing on devices running Android 4.3.1 (Jelly Bean) or older. If you created your keystore from the command line using the instructions from the Mac Cookbook then you are probably not affected.

If you haven't uploaded your game to the Google Play store then it's probably easiest to just recreate your keystore using version 13.36 or later of Windows Creator or the command line instructions found here: http://help.gamesalad.com/gamesalad-cookbook/4-android-publishing/4-02-creating-a-keystore/

If you have uploaded your game to the Google Play store then the solution is to bump your version number in the Android project on the publishing website, regenerate the APK, then sign and upload it as you normally would with your existing keystore. Do not recreate your keystore or you will not be able to update your existing game

If you're not sure if you might be affected it's pretty easy to find out:

  1. Open a command prompt or terminal
  2. Type: keytool -list -v -keystore your.keystore
  3. Enter the password for the keystore
  4. Take a look at the output, it should look something like this:

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 1 entry

    Alias name: default
    Creation date: Aug 20, 2015
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=, OU=, O=, L=, ST=, C=
    Issuer: CN=, OU=, O=, L=, ST=, C=
    Serial number: 17c7641c
    Valid from: Thu Aug 20 15:41:16 CDT 2015 until: Mon Jan 05 14:41:16 CST 2043
    Certificate fingerprints:
    MD5: 49:33:FB:CA:0C:A6:28:82:1A:DD:C7:9E:10:3D:8D:51
    SHA1: 9E:D0:71:62:EA:E3:C8:51:6D:BB:02:E7:EF:7C:43:11:F0:4F:7F:BE
    SHA256: 87:A5:72:09:10:71:73:EB:ED:2C:81:C6:43:99:D5:78:BB:05:01:41:95:87:65:C9:6C:26:48:B0:A2:4C:A0:49
    Signature algorithm name: SHA256withRSA
    Version: 3

It's possible to have more than one alias in a keystore, so you want to look for the section that starts with Alias name: .
If you look a few lines down you'll see the line that starts with Signature algorithm name:
If the name is SHA1withRSA then you don't have the issue. If the name is SHA256withRSA you do, and you probably want to resign your game as explained above.

The reason it wasn't working is that when you create a keystore in Windows Creator we weren't forcing the alias to use the SHA1withRSA signature algorithm and newer versions of Java default to the SHA256withRSA algorithm.

The fix is to have Creator 13.36 and newer use the SHA1withRSA algorithm when signing an APK file using jarsigner rather than reading and using the algorithm attached to the alias in the keystore file. Any new keystore files created will also use the SHA1withRSA algorithm.

To test this we performed the following steps:

  1. Created a new keystore and signed an APK with 13.35 and published it to the Android Play store
  2. Verified that it would not install on an Ice Cream Sandwich or Jelly Bean device and would install on KitKat or newer.
  3. Regenerated the same APK with a different version number, then signed it using 13.36 and published the update the the Android Play store
  4. Verified that the 2.0 version would install on Ice Cream Sandwich and Jelly Bean devices and would upgrade properly on KitKat and newer devices.

Comments

  • RedRoboRedRobo Member, PRO Posts: 680

    Sorry but I'm a bit confused about this ;/

    I have an app on Google Play which was signed with an older version of Gamesalad.

    Do I just need to update my Creator, re-generate my app with a new version number via the Publishing website and re-sign with my existing Keystore?

    And going forwards...is it ok to keep my existing keystore and all will be well as the fix is within the Creator itself???

    Cheers

  • GeorgeGSGeorgeGS Member, PRO Posts: 478

    If the keystore you signed with uses SHA256 as shown in the example above and you signed the apk using Creator 13.35 or older then your app on the play store probably won't install properly on the older operating systems.

    If you publish a new version now and sign the apk with Windows Creator 13.36 or newer then it will use the SHA1 algorithm that works on the older operating systems.

    If your keystore shows SHA1 instead of SHA256 then you should already be fine.

  • RedRoboRedRobo Member, PRO Posts: 680

    I

    I am struggling to check whether I'm using SHA1 or SHA256.
    I typed what you said into the Command prompt and this is what I get. Sorry but whenever I have to type any code this kind of thing happens (hence why I love GameSalad!).

    Am I making some kind of stupid mistake here?

  • GeorgeGSGeorgeGS Member, PRO Posts: 478

    It looks like the Java directory isn't in your path, so you'll need to type out the whole path to it. Something like:

    "C:\Program Files\Java\jdk1.8.0_60\bin\keytool.exe" -list -v -keystore ...

    The quotes are important if you installed Java in the default place because of the spaces in the path. You'll also either want to CD to where your keystore file is first or type the full path to that as well.

  • RedRoboRedRobo Member, PRO Posts: 680

    Thanks @GeorgeGS for the explanation, I needed that as I have pretty much ZERO experience of typing in the Command prompt window!!!

    The results I get are:

    Signature algorithm name: SHA1withDSA
    Version: 3

    I presume I'm ok as it says SHA1 although why does mine display DSA instead of RSA?

    Many thanks.

  • GeorgeGSGeorgeGS Member, PRO Posts: 478

    @strag said:
    The results I get are:

    Signature algorithm name: SHA1withDSA
    Version: 3

    I presume I'm ok as it says SHA1 although why does mine display DSA instead of RSA?

    That should be fine. The issue was with using SHA256 versus SHA1. The older Android operating systems don't seem to be able to decode SHA256.

    DSA is just a different algorithm for signing than RSA. They both do generally the same thing as far as APK signing goes.

    I'll check in Creator to make sure we're not doing anything weird that might make a DSA key not work just in case.

  • RedRoboRedRobo Member, PRO Posts: 680

    Great, thanks very much for your help on this.

Sign In or Register to comment.