Mobile Development with Cordova (Phonegap): Appendix A

Appendix A: Generating a Certificate Keystore (Android)

Android apps must have a digital signature. For Android, you generate your own certificate, which is saved inside a "keystore" file. You generate this with the keytool command-line tool, which is part of the Android SDK you downloaded while setting up your build environment.

Generating a Keystore

The command below generates an Android keystore named android_certificate.keystore containing a single certificate named android, good for about 25 years (10,000 days), and with a nice large key size (8kB is current standard).
keytool -genkey -v -keyalg RSA -keysize 8192 -validity 10000 -keystore android_certificate.keystore -alias android

You will be prompted to enter a password, then for your "first and last name" which really means any identifier such as your company or department name, then other identifying info such as your location. Lastly you'll be asked for a second password to lock the keystore (as contrasted to the certificate itself) but I like to just use the same password for both.

In the end you'll have a keystore file. Back it up into a safe place along with the alias and password.

Warning: The certificate and keystore must be the same as you sign of future versions of the same app. If you lose the key store or forget the alias or the password, you will not be able to sign future versions of the app. The result is that anybody trying to upgrade, will fail: they will need to uninstall the previous version of the app before installing the upgrade.
 

Using the keystore in Cordova CLI Tools

An app compiled with cordova build android --release will not be properly signed and able to install onto phones, unless you instruct ant to use the keystore.

You can specify the path to the keystore file, as well as the alias, in the ant.properties file. This is described in the  Setting Up Certificates part of chapter 3 when setting up a new project.

Tip: I always use cordova build android --release so it prompts for a real certificate. This adds an extra step to the build/test cycle, but does ensure that the selfsame APK can be distributed to others (it's easy to forget, and send an APK that's not signed). It also ensures that I in fact have the keystore handy, as I am unlikely to lose it and then lose my backups over time, if I'm actively using it every day of development.