How to resolve invalid SHA1 signature when signing the Android app?

Question

When I verify the signature of my application:

jarsigner -verify -verbose -certs testapp.apk

it gives me the error:

jarsigner: java.lang.SecurityException: invalid SHA1 signature file digest for res/drawable-xhdpi/breadcrumb_grey_white.png

How to resolve this?

possible duplicate of [invalid SHA1 signature file digest](http://stackoverflow.com/questions/8176166/invalid-sha1-signature-file-digest) — Andrejs Cainikovs, Apr 23 '12 at 19:21

score 11 · Answer 1 · answered Sep 28 '12 at 08:46

11

make sure to delete the META_INF folder in the apk before signing it. Also, if you are using JDK 7, then include the the option -sigalg MD5withRSA when signing with the jarsigner along with -digestalg SHA1 mentioned by Andrejs

answered Sep 28 '12 at 08:46

Padmanabha V

430
4
11

Caution: if you are trying to sign OSGi bundles remember META_INF/Manifest.mf has some required headers. removing META-INF folder will cause undesirable outcomes. – Govinnage Rasika Perera Mar 09 '15 at 04:52

score 3 · Answer 2 · edited May 23 '17 at 12:31

3

Ripped from here.

Here is the solution:

jarsigner -keystore mykeystore -digestalg SHA1 jarfile alias

To verify:

jarsigner -verify -verbose -certs jarfile

edited May 23 '17 at 12:31

Community

1
1

answered Apr 23 '12 at 19:18

Andrejs Cainikovs

27,428
2
75
95

1

When i verify with JDK 1.6.0 it is working perfectly but when i try with JDK 1.7.0 it is coming invalid SHA1 signature file digest for res/drawable-xhdpi/breadcrumb_grey_white.png. Why this is happening? – ChanGan Apr 24 '12 at 07:12
Perhaps you need to re-sign it with 1.7.0, and verify with the same version as well? – Andrejs Cainikovs Apr 24 '12 at 08:32
what is the procedure to resign with 1.7.0? – ChanGan Apr 25 '12 at 06:14
I don't know about resigning, but you might try sign unsigned *jar*. – Andrejs Cainikovs Apr 25 '12 at 06:35

How to resolve invalid SHA1 signature when signing the Android app?

2 Answers2