1

I have created the keystore using

keytool -genkey -v -keystore xx_yy_zz.keystore -alias xx_yy_zz_alias_name -keyalg RSA -keysize 2048 -validity 10000

Uploaded to Phonegap and generated a APK file

The signed the APK using the below command

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore xx_yy_zz.keystore xx_yy_zz.78.apk xx_yy_zz_alias_name

But when I verify the APK it throws the below error

jarsigner -verify xx_yy_zz.78.apk

Error:

jarsigner: java.lang.SecurityException: invalid SHA-256 signature file digest for res/layout/notification_action.xml

halfer
  • 19,824
  • 17
  • 99
  • 186
Bhavika Patel
  • 35
  • 1
  • 8

1 Answers1

3

Use -digestalg SHA-256 to sign, if you wish to verify SHA256.

SHA1 had been broken and should not be used anymore, at all.

Martin Zeitler
  • 1
  • 19
  • 155
  • 216
  • Thanks Martin for your response. Unfortunately it throws the below error ```jarsigner error: java.security.NoSuchAlgorithmException: SHA256 MessageDigest not available``` – Bhavika Patel Jan 20 '20 at 23:30
  • Sorry, there was a typo, have fixed that. Why you even use `jarsigner`? Better use `apksigner` for Android packages, which also would support v2 and v3 signatures. – Martin Zeitler Jan 21 '20 at 01:30