When an Android app (.apk file) is secured with Blue Cedar policies, it needs to be re-signed in order to be installed on an Android device. Blue Cedar supports Android app signing on macOS and Linux. Signing apps externally on MacOS describes the process for Mac and Linux using a shell script provided by the Blue Cedar policy console. This page describes how to sign Android apps on computers running Windows and provides the signing script for these users:
- Blue Cedar Enterprise (on-premises) users who choose to Export for external code signing
- Blue Cedar Enforce users and Enterprise (hosted) users: external code signing is the only option
Before you export a secured app for signing, see the policy console documentation to secure an app with an appropriate signing profile. Once you have secured the app and included a signing profile, you can Export a zip file from the policy console and sign outside the console. This zip file includes:
- A copy of the secured app
- All information required to sign the app
- A simple shell script (sign.sh) to run on a Mac or Linux signing server.
Windows requires a batch (.bat) script which is currently not provided by the console, but is attached here. sign.bat
Applying the signing profile in the console validates the signing parameters for use with your app, even though it does not sign the app. Click Export for Signing to download the app with its signing information.
Requirements for signing on Windows
- Download this script file for signing on Windows to replace the script in the exported zip file: sign.bat
- Edit the sign.bat file to replace "mykey" with your keystore alias and "cloudfaux" with your keystore password. These credentials must match the keystore credentials in your signing profile.
- Path: Edit these environment variables and path:
- Open "advanced system settings" from the Windows search box. On the Advanced tab, select Environment Variables and add or edit these variables.
|Add or edit environment variable||Set to||Example|
|JAVA_HOME||The location of the JDK installation||C:\Program Files\Java\jdk1.8.0_162|
|ANDROID_HOME||The location of the Android SDK installation||C:\Users\jlennon\AppData\Local\Android\Sdk|
|build_tools||The build_tools location in the Android SDK path||%ANDROID_HOME%\build-tools\27.0.3\|
|PATH||Add the other tools in the Android SDK path|
Signing the app
To sign the app using the contents of the zip file:
On your Windows signing server, extract the contents of the zip file.
Copy the Windows signing script to the directory with the extracted files. (sign.bat)
Open the Command window and navigate to your extracted .apk directory.
Run the script:
The default output filename adds "-signed" to the original filename, for example, compass-secured-signed.apk. Optionally, you can specify the output filename:
The secured and signed app is now ready to deploy and test.