为什么要在发布到 PlayStore 之前对我的 apk 进行签名? [英] Why should I sign my apk before releasing to PlayStore?

问题描述

在发布到市场之前签署 apk 的重要性究竟是什么?

What exactly is the importance of signing an apk before releasing to the market?

推荐答案

来自 Android 应用程序签名文档:

Android 系统要求所有已安装的应用程序使用证书进行数字签名，该证书的私钥由应用程序的开发人员.Android系统使用证书作为识别应用程序作者和建立的方法应用程序之间的信任关系.证书未使用控制用户可以安装哪些应用程序.证书不需要由证书颁发机构签名:它是完美的允许且典型的 Android 应用程序使用自签名证书.

The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application's developer. The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications. The certificate is not used to control which applications the user can install. The certificate does not need to be signed by a certificate authority: it is perfectly allowable, and typical, for Android applications to use self-signed certificates.

了解签署 Android 应用程序的要点是:

The important points to understand about signing Android applications are:

• 所有申请都必须签名.如果应用程序未签名，系统将不会在模拟器或设备上安装应用程序.
• 为了测试和调试您的应用程序，构建工具使用由 Android 创建的特殊调试密钥对您的应用程序进行签名SDK 构建工具.
• 当您准备好向最终用户发布您的应用程序时，您必须使用合适的私钥对其进行签名.你不能发布一个使用 SDK 生成的调试密钥签名的应用程序工具.
• 您可以使用自签名证书为您的应用程序签名.不需要证书颁发机构.
• 系统仅在安装时测试签名者证书的到期日期.如果应用程序的签名者证书在应用程序已安装，应用程序将继续运行正常.
• 您可以使用标准工具(Keytool 和 Jarsigner)来生成密钥并对您的应用程序 .apk 文件进行签名.
• 在您签署要发布的应用程序后，我们建议您使用 zipalign 工具来优化最终的 APK 包.

Android 系统不会安装或运行非适当签署.这适用于运行 Android 系统的任何地方，无论是在实际设备上还是在模拟器上.为此，你必须先为您的应用程序设置签名，然后才能运行它或在模拟器或设备上调试

The Android system will not install or run an application that is not signed appropriately. This applies wherever the Android system is run, whether on an actual device or on the emulator. For this reason, you must set up signing for your application before you can run it or debug it on an emulator or device

为什么意味着:

应用程序签名的某些方面可能会影响您处理开发您的应用程序，特别是如果您打算发布多个应用.

Some aspects of application signing may affect how you approach the development of your application, especially if you are planning to release multiple applications.

一般来说，推荐给所有开发者的策略是签署所有具有相同证书的应用程序，在整个过程中应用程序的预期寿命.有几个原因你应该这样做:

In general, the recommended strategy for all developers is to sign all of your applications with the same certificate, throughout the expected lifespan of your applications. There are several reasons why you should do so:

• 应用程序升级 – 当您发布应用程序更新时，您必须继续使用相同的更新签名证书或证书集，如果您希望用户能够无缝升级到新版本.系统安装时对应用程序的更新，它比较新的证书版本与现有版本中的那些.如果证书匹配确切地说，包括证书数据和订单，那么系统允许更新.如果您在未使用的情况下签署新版本匹配证书，您还必须分配不同的包名称到应用程序 - 在这种情况下，用户安装新版本作为一个全新的应用程序.

• Application upgrade – As you release updates to your application, you must continue to sign the updates with the same certificate or set of certificates, if you want users to be able to upgrade seamlessly to the new version. When the system is installing an update to an application, it compares the certificate(s) in the new version with those in the existing version. If the certificates match exactly, including both the certificate data and order, then the system allows the update. If you sign the new version without using matching certificates, you must also assign a different package name to the application — in this case, the user installs the new version as a completely new application.

应用程序模块化 – Android 系统允许由相同证书签名的应用程序在同一进程中运行，如果应用程序如此请求，以便系统将它们视为单一应用.通过这种方式，您可以将应用程序部署在模块，用户可以独立更新每个模块，如果需要.

Application modularity – The Android system allows applications that are signed by the same certificate to run in the same process, if the applications so requests, so that the system treats them as a single application. In this way you can deploy your application in modules, and users can update each of the modules independently if needed.

通过权限共享代码/数据 – Android 系统提供基于签名的权限执行，以便应用程序可以向另一个应用程序公开功能使用指定的证书签名.通过签署多个应用程序使用相同的证书并使用基于签名的权限检查，您的应用程序可以以安全的方式共享代码和数据.

Code/data sharing through permissions – The Android system provides signature-based permissions enforcement, so that an application can expose functionality to another application that is signed with a specified certificate. By signing multiple applications with the same certificate and using signature-based permissions checks, your applications can share code and data in a secure manner.

确定签约策略的另一个重要考虑因素是如何设置您将用于签名的密钥的有效期您的应用程序.

Another important consideration in determining your signing strategy is how to set the validity period of the key that you will use to sign your applications.

• 如果您计划支持单个应用程序的升级，您应该确保您的密钥具有超过预期的有效期该应用程序的生命周期.有效期为 25 年或以上受到推崇的.当您的密钥的有效期到期时，用户将不会不再能够无缝升级到您的新版本应用程序.

• If you plan to support upgrades for a single application, you should ensure that your key has a validity period that exceeds the expected lifespan of that application. A validity period of 25 years or more is recommended. When your key's validity period expires, users will no longer be able to seamlessly upgrade to new versions of your application.

如果您将使用同一个密钥签署多个不同的应用程序，您应该确保您的密钥的有效期超过预期所有应用程序的所有版本的生命周期，包括将来可能会添加到套件中的相关应用程序.

If you will sign multiple distinct applications with the same key, you should ensure that your key's validity period exceeds the expected lifespan of all versions of all of the applications, including dependent applications that may be added to the suite in the future.

如果您计划在 Google Play 上发布您的应用程序，您用于签署应用程序的密钥必须有一个有效期结束2033 年 10 月 22 日之后.Google Play 强制执行此要求以确保用户可以在新版本发布时无缝升级应用程序可用.

If you plan to publish your application(s) on Google Play, the key you use to sign the application(s) must have a validity period ending after 22 October 2033. Google Play enforces this requirement to ensure that users can seamlessly upgrade applications when new versions are available.

这篇关于为什么要在发布到 PlayStore 之前对我的 apk 进行签名?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！