Android Signing Issue on Windows
We recently discovered an issue where Android games that were signed using a keystore created inside Windows creator may have an issue installing on devices running Android 4.3.1 (Jelly Bean) or older. If you created your keystore from the command line using the instructions from the Mac Cookbook then you are probably not affected.
If you haven't uploaded your game to the Google Play store then it's probably easiest to just recreate your keystore using version 13.36 or later of Windows Creator or the command line instructions found here: http://help.gamesalad.com/gamesalad-cookbook/4-android-publishing/4-02-creating-a-keystore/
If you have uploaded your game to the Google Play store then the solution is to bump your version number in the Android project on the publishing website, regenerate the APK, then sign and upload it as you normally would with your existing keystore. Do not recreate your keystore or you will not be able to update your existing game
If you're not sure if you might be affected it's pretty easy to find out:
- Open a command prompt or terminal
keytool -list -v -keystore your.keystore
- Enter the password for the keystore
Take a look at the output, it should look something like this:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: default
Creation date: Aug 20, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner: CN=, OU=, O=, L=, ST=, C=
Issuer: CN=, OU=, O=, L=, ST=, C=
Serial number: 17c7641c
Valid from: Thu Aug 20 15:41:16 CDT 2015 until: Mon Jan 05 14:41:16 CST 2043
Signature algorithm name: SHA256withRSA
It's possible to have more than one alias in a keystore, so you want to look for the section that starts with Alias name: .
If you look a few lines down you'll see the line that starts with Signature algorithm name:
If the name is SHA1withRSA then you don't have the issue. If the name is SHA256withRSA you do, and you probably want to resign your game as explained above.
The reason it wasn't working is that when you create a keystore in Windows Creator we weren't forcing the alias to use the SHA1withRSA signature algorithm and newer versions of Java default to the SHA256withRSA algorithm.
The fix is to have Creator 13.36 and newer use the SHA1withRSA algorithm when signing an APK file using jarsigner rather than reading and using the algorithm attached to the alias in the keystore file. Any new keystore files created will also use the SHA1withRSA algorithm.
To test this we performed the following steps:
- Created a new keystore and signed an APK with 13.35 and published it to the Android Play store
- Verified that it would not install on an Ice Cream Sandwich or Jelly Bean device and would install on KitKat or newer.
- Regenerated the same APK with a different version number, then signed it using 13.36 and published the update the the Android Play store
- Verified that the 2.0 version would install on Ice Cream Sandwich and Jelly Bean devices and would upgrade properly on KitKat and newer devices.