Is release APK really signed?

I am a kind of guy who will check the lock twice. So when I build release APK, though I ensured adding the signing key to config, I double check it. I consider it as part of release testing. Having said that, how do we verify that the APK is really signed or not?

Android documentation simply suggests

$ jarsigner -verify -verbose -certs my_application.apk

However, if you try this for both debug and release APKs, you will get

jar verified

What is going on? The key thing to understand is that both debug and release APKs are signed. Debug APK requires to be signed in order to be able to run on real devices for testing.

We shall check the certificate information in the verbose output. For debug APK, you will see

CN=Android Debug, O=Android, C=US

On the other hand, your release APK should show details of your certificate details similar to

CN=<dev name>, OU=Android Development, O=<org name>, etc.

In short, please don’t be misled by jar verified.

References

  1. http://developer.android.com/tools/publishing/app-signing.html#studio
  2. http://stackoverflow.com/a/7104680/15139