Gotcha: “Package file was not signed correctly“

Sometimes you run into an issue which costs you way to long to fix and could be prevented by having just a little piece of knowledge. If your swearing ends with “That has costs me a day of work!” when you found the issue. Odds are you got a gotcha. Here is one I ran into lately.

If you do not want to read further here is the catch:

Do not create the keystore and sign your APK with a different JAVA version.

The story: This christmas I ran into an interesting issue with regards to signing Android apps. I just finished the Android version of WappZapp and submitted it to the Play Store. When downloading the app, after installation users saw this message:

So the situation was:

  1. No errors whatsoever while building.
  2. No errors when submitting the app.
  3. Only an error when installing the app from the Play Store :(

Also when trying to install the app with adb it would not install and give this error message:

MacBook-Air-van-Wienke-2:wappzapp wienke$ adb install -r /Users/wienke/Desktop/WappZapp.apk
4423 KB/s (23248682 bytes in 5.132s)
    pkg: /data/local/tmp/WappZapp.apk
Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]

After doing trying all kinds of things and doing some research I found an answer to this issue by, the to you all familiar, @stephenfeather.

My situation was just as he describes:

It goes something like this:
Sometime in September, ‘Sure I’d like to upgrade to the latest/best Java tools’
Sometime in December, ‘why the heck doesnt this stuff work, it worked last time I tried it!!!!’
Oracle really needs to fix it.

For another project I was using JDK 1.7, meanwhile I had also JDK 1.6 on my machine and the shipped Apple version. When I found out that I created the keystore with the shipped version on my Mac and signed the app with that version it worked.

Hope to have saved you a day of work.

Update 5-1-2014:

Pratik suggested another way to workaround the problem. Very helpful if you already have an app that is signed with the generated keystore in the Play Store.

Another way to work around this using an JDK version is to pass some additional flags to the jar signer as so:

jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore my-release-key.keystore
my_app.apk alias_name

Comments

  • pratik patel

    Another way to work around this using an JDK version is to pass some additional flags to the jar signer as so:
    jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore my-release-key.keystore
    my_app.apk alias_name

  • Pascal Achard

    Thank you very much Pratik Patel! Your work around seems to work perfectly ^^

  • Wienke

    Thanks Pratik! I am going to put in the article.

  • Michael

    Getting the same error on some devices now with Studio 3.2, SDK 3.2. Tested JDK 1.7 and 1.6. Nothing helped. On my device it works. Google Play store accepts the file but some device have problems installing them

  • Daniel

    Did you find a solution to this problem? I just submitted an app to the play store and I am running into this on some devices, not all.

  • Adam Magaña

    This was a huge help in leading me to a solution to a problem I was having last night. I was able to re-sign my app and push an update to the Play Store just in time for a customer. Now that I understand the signing/aligning process a lot better I have a few questions in terms of optimization. Titanium by default signs APK’s with a less compatible signature algorithm (sigalg) during the build process. It is not hard to retrieve and re-sign the unsigned APK it generates after the build is complete, however, is there any way to specify the desired sigalg in Titanium’s configuration or as a build setting? I searched high and low but could not find a way. Thank you so much for the insight and help!

  • Jake Dempsey

    I keep getting this issue when i build my app. I am guessing my keystore was created with 1.6 java. When I use the appcelerator studio to build I get no errors and can submit to the store just fine. However, for some users (not all) they get this error when trying to install. I use the workaround of taking the unsigned apk and then using the different sigalg trick to resign and re-zipalign the apk which then works for everyone. How can I make it so that my appcelerator studio build just works? Can I recreate or update my keystore file so that when appcelerator does its thing I can just use the apk it generates? I still don’t fully understand how to solve this so that I don’t have to worry with it any longer. Would installing Java 1.8 cause the same problem since my keystore file was created with 1.6?

  • Jake Dempsey

    In looking at my keystore it has a sigalg of SHA256withRSA. In reading the Titanium docs it says that SHA256withRSA isn’t supported on devices older than 4.4. Could that be my core issue of why im having to resign using MD5withRSA?