Please select at least one of the signature versions to use in Android Studio 2.3
Now while generating a signed APK in Android Studio, it’s showing two options (CheckBox) namely 1.
V1 (Jar Signature) and 2. `V2 (Full APK Signature)’ as Signature Versions in last step of signed APK generating process.
So, what is the difference between these V1 (Jar Signature) and V2 (Full APK Signature) in new Android Studio update?
And which should I use (or both) for signing apk for play store release?
Also I’m getting error Install Parse Failed No Certificates while installing APK when I use second option.
It is a new signing mechanism introduced in Android 7.0, with additional features designed to make the APK signature more secure.
It is not mandatory. You should check BOTH of those checkboxes if possible, but if the new V2 signing mechanism gives you problems, you can omit it.
So you can just leave V2 unchecked if you encounter problems, but should have it checked if possible.
Should I use(or both) for signing apk for play store release?
An answer is YES.
In Android 7.0, APKs can be verified according to the APK Signature Scheme v2 (v2 scheme) or JAR signing (v1 scheme). Older platforms ignore v2 signatures and only verify v1 signatures.
I tried to generate build with checking V2(Full Apk Signature) option. Then when I tried to install a release build in below 7.0 device and I am unable to install build in the device.
After that I tried to build by checking both version checkbox and generate release build. Then able to install build.
It is written here that “By default, Android Studio 2.2 and the Android Plugin for Gradle 2.2 sign your app using both APK Signature Scheme v2 and the traditional signing scheme, which uses JAR signing.”
As it seems that these new checkboxes appeared with Android 2.3, I understand that my previous versions of Android Studio (at least the 2.2) did sign with both signatures. So, to continue as I did before, I think that it is better to check both checkboxes.
EDIT March 31st, 2017 : submitted several apps with both signatures => no problem 🙂
I think this represents a good answer.
APK Signature Scheme v2 verification
- Locate the
APK Signing Blockand verify that:
- Two size fields of
APK Signing Blockcontain the same value.
ZIP Central Directoryis immediately followed by
ZIP End of Central Directoryrecord.
ZIP End of Central Directoryis not followed by more data.
- Two size fields of
- Locate the first
APK Signature Scheme v2 Blockinside the
APK Signing Block. If the v2 Block if present, proceed to step 3. Otherwise, fall back to verifying the APK using v1 scheme.
- For each signer in the
APK Signature Scheme v2 Block:
- Choose the strongest supported signature algorithm ID from signatures. The strength ordering is up to each implementation/platform version.
- Verify the corresponding signature from signatures against signed data using public key. (It is now safe to parse signed data.)
- Verify that the ordered list of signature algorithm IDs in digests and signatures is identical. (This is to prevent signature stripping/addition.)
- Compute the digest of APK contents using the same digest algorithm as the digest algorithm used by the signature algorithm.
- Verify that the computed digest is identical to the corresponding digest from digests.
- Verify that
SubjectPublicKeyInfoof the first certificate of certificates is identical to public key.
- Verification succeeds if at least one signer was found and step 3 succeeded for each found signer.
Note: APK must not be verified using the v1 scheme if a failure occurs in step 3 or 4.
JAR-signed APK verification (v1 scheme)
The JAR-signed APK is a standard signed JAR, which must contain exactly the entries listed in
META-INF/MANIFEST.MF and where all entries must be signed by the same set of signers. Its integrity is verified as follows:
- Each signer is represented by a
PKCS #7 CMS ContentInfowith SignedData structure whose signature is verified over the
<signer>.SFfile contains a whole-file digest of the
META-INF/MANIFEST.MFand digests of each section of
META-INF/MANIFEST.MF. The whole-file digest of the
MANIFEST.MFis verified. If that fails, the digest of each
MANIFEST.MFsection is verified instead.
META-INF/MANIFEST.MFcontains, for each integrity-protected JAR entry, a correspondingly named section containing the digest of the entry’s uncompressed contents. All these digests are verified.
- APK verification fails if the APK contains JAR entries which are not listed in the
MANIFEST.MFand are not part of JAR signature.
The protection chain is thus
MANIFEST.MF→ contents of each integrity-protected JAR entry.
According to this link: signature help
APK Signature Scheme v2 offers:
- Faster app install times
- More protection against unauthorized alterations to APK files.
Android 7.0 introduces APK Signature Scheme v2, a new app-signing
scheme that offers faster app install times and more protection
against unauthorized alterations to APK files. By default, Android
Studio 2.2 and the Android Plugin for Gradle 2.2 sign your app using
both APK Signature Scheme v2 and the traditional signing scheme, which
uses JAR signing.
It is recommended to use APK Signature Scheme v2 but is not mandatory.
Although we recommend applying APK Signature Scheme v2 to your app,
this new scheme is not mandatory. If your app doesn’t build properly
when using APK Signature Scheme v2, you can disable the new scheme.