The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application's developer. The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications. The certificate does not need to be signed by a certificate authority. Rather, it is typical for Android applications to use self-signed certificates.
Android applications that are not signed will not be installed on an emulator or a device. When a developer is ready to release an application for end-users, the developer signs it with a suitable private key. The developer can use self-signed certificates to sign its applications. No certificate authority is needed.
The Android system tests a signer certificate's expiration date only at install time. If an application's signer certificate expires after the application is installed, the application will continue to function normally. The developer can use standard tools (e.g., Keytool and Jarsigner) to generate keys and sign its application .apk files.
The Android system will not install or run an application that is not signed appropriately. This applies wherever the Android system is run, whether on an actual device or on the emulator.
When a developer builds in release mode, it uses its own private key to sign the application. When the developer compiles the application in release mode, a build tools uses the developer's private key along with a Jarsigner utility to sign the application's .apk file. Because the certificate and private key used are owned by the developer, the developer provides the password for the keystore and key alias. Some aspects of application signing may affect how the developer approaches the development of its application, especially if the developer is planning to release multiple applications.
In general, the recommended strategy for all developers is to sign all of its applications with the same certificate, throughout the expected lifespan of its applications. As the developer releases updates to its application, the developer must continue to sign the updates with the same certificate or set of certificates, if the developer wants users to be able to upgrade seamlessly to the new version. When the system is installing an update to an application, it compares the certificate(s) in the new version with those in the existing version. If the certificates match exactly, including both the certificate data and order, then the system allows the update. If the developer signs the new version without using matching certificates, the developer must also assign a different package name to the application—in this case, the user installs the new version as a completely new application.
When the developer has an application package that is ready to be signed, the developer can sign it using the Jarsigner tool. To sign the application, the developer runs Jarsigner, referencing both the application's APK and the keystore containing the private key with which to sign the APK.
Maintaining the security of a private key is of critical importance, both to the developer and to the user. If the developer allows someone to use its key, or if the developer leaves its keystore and passwords in an unsecured location such that a third-party could find and use them, the developer's authoring identity and the trust of the user are compromised.
If a third party should manage to take a developer's key without its knowledge or permission, that person could sign and distribute applications that maliciously replace the developer's authentic applications or corrupt them. Such a person could also sign and distribute applications under the developer's identity that attack other applications or the system itself, or corrupt or steal user data. A developer's reputation depends on its securing its private key properly, at all times, until the key is expired.