when I am signing the apk, I get "jarsigner: unable to sign jar: java.util.zip.ZipException: invalid entry compressed size (expected 463 but got 465 bytes)" this error message. The apk size is almost 1MB. When I reduce the size to 500KB, signing success. Why this so?..Any Idea?
jarsigner: unable to sign jar: java.util.zip.ZipException: invalid entry compressed size (expected 463 but got 465 bytes)
#3267716 –
Langill
sometime it happens when you try to sign a debug apk –
Rosenblast
You are trying to sign an already signed .apk.
You need to export an unsigned .apk file and then sign it with jarsigner.
Bug in the POM — indeed the file was signed twice. –
Salesclerk
Or you can just remove the signature from the existing apk with a single command. See: https://mcmap.net/q/217659/-jarsigner-unable-to-sign-jar-java-util-zip-zipexception-invalid-entry-compressed-size-expected-463-but-got-465-bytes –
Parkland
I'm really disappointed that this is still the accepted answer 2 years after an actual solution was given. –
Parkland
Had the same. When removing existing signature remember to remove signature entries from MANIFEST.MF file too. –
Incomprehensive
This answer is still good though because it gives information about why it is happening, which is helpful for troubleshooting different use cases. For example my issue was with AppCenter, which did in fact warn me that I was attempting to resign a signed package, so I had to remove the signingConfig from my build.gradle ... horses for courses and all that! –
Docilu
You definitely are able to sign an already signed APK multiple times using different keys:
Note that you can sign an APK multiple times with different keys.
E.g. I accomplished signing a Debug-Apk with the release key so that I was able to test upgrades of released versions. Also, I was able to sign an already released APK with the debug key for reproducing bugs.
This is what you should do
- Rename the
.apkfile to.zip - Unpack the
.zipfile and remove theMETA-INFfolder - Zip the folder again and rename it to
.apk - Sign the apk:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 \
-keystore my-release-key.keystore my_application.apk alias_name
For the debug key, the alias should be androiddebugkey and the password android. The debug keystore is per default $HOME/.android/debug.keystore. See also Sign your debug build.
you save my day, and possibly my apps as well! Eclipse crashes every time I try to export my apps Signed or not, so the only way to go for me was command-line and then I had this error, only solution that worked! thanks again –
Cadent
@Guillaume, to avoid eclipse crashing - turn off "Build Automatically" (Project->Build automatically) –
Nataline
The CERT.RSA file which holds the signature is stored in the META-INF folder which you are suggesting to remove. Which in effect is the same as removing the signature. So that's why you are able to sign it with the debug key. So it doesn't mean that you have signed the apk with two different keys. –
Basilbasilar
I have signed the apk successfully but I am getting below error while installing the app "error - There is a problem parsing the package". What might be the issue please help .. –
Aerospace
For the record, this method did not work for me, even after deleting the META-INF folder I still get the ZipException –
Hopson
I have a single command that accomplishes this much easier in my answer below. https://mcmap.net/q/217659/-jarsigner-unable-to-sign-jar-java-util-zip-zipexception-invalid-entry-compressed-size-expected-463-but-got-465-bytes I have confirmed that the inappropriately signed APK that I received from a vendor was able to be resigned after running this single command. –
Parkland
This is the 1 Liner/1 Step version of @Joerg's answer above:
zip -d foo.apk META-INF/\*
That uses the built in "delete from existing archive" functionality of the zip command. When you run that command you should see:
deleting: META-INF/MANIFEST.MF
deleting: META-INF/CERT.SF
deleting: META-INF/CERT.RSA
...as the output. Those files are the existing signature. Removing them allows you to sign it again.
I would also like to reiterate that you should be sure to pass the -sigalg SHA1withRSA and -digestalg SHA1 arguments to the jarsigner to avoid this issue: https://code.google.com/p/android/issues/detail?id=19567
Be careful with zip -d foo.apk META-INF/* - it can delete more files than needed. –
Wyatan
@DannySchoemann Meaning what? I see 3 files in META-INF/gdata/kinds/com.google.schemas.contact.2008 and META-INF/services/com.fasterxml.jackson.core.JsonFactory. So will I be safe if only the manifest and cert files are removed? –
Cascio
@kaay- That looks right, but I don't know for sure, you may have to experiment which you need to delete. –
Wyatan
I have a lot of
androidx.* in my META-INF so definitely remove those 3 files one by one. –
Beryl After trying this I got this error Warning: The signer's certificate is self-signed. Any ideas? –
Emogene
I encountered this when signing my .aab file. Removing the duplicate signing (once as part of the bundling, once manually) fixed it. This was part of the default react-native app scaffolding.
The app/build.gradle file includes a section android/buildTypes/release which had its signingConfig key set. When generating .apk files it seemed to be ignored but when switching to .aab format it looks like it did apply that signing. When I then did my own signing in CI, it complained because it was already signed.
Great observation! I was stuck on this while trying to publish a bundle via CI. Thank you. –
Spenser
Hats off to your sir! For those following along, you'll want to comment out the line which says "signingConfig signingConfigs.debug" under release or set up your own. –
Prima
To further compliment this, here is the React Native docs that specify what you need to do. link –
Ophite
You must be north, cos you're a star! –
Carlock
Excellent man. I couldn't have guessed in ages –
Monosyllabic
I had generated my Android project from ReactNative 0.67 last year which seems to have created this problem, now I'm using the new bundle signing. Commenting out the release signing section stopped the
gradlew bundleRelease from signing the .aab file with the debug key. Then I can sign it with my release key using jarsigner and it uploads OK. @Ophite points out, I will have to upgrade my RN project. –
Greenheart Nice man. Same scenario –
Camelopardalis
According to googles documents you can sign an apk multiple times http://developer.android.com/guide/publishing/app-signing.html#signapp. If you are unable to get an unsigned build though you can just inflate the apk and then rejar it, you will then be able to sign it.
As far as I faced this error, it occurs when you try to sign a zipaligned .apk file.
Looks like jarsigner can't stand some of the zipalign changes.
This doesn't occur often.
Zipaligning an apk does not prevent it from being signed. You will have to run zipalign again after signing to get it back into an aligned state. –
Fanaticism
@Fanaticism It doesn't prevent, but it should. Aligning modifies zip. Signing sometimes fails to sign aligned zip with this error. Why downvote? –
Nataline
You've now changed the meaning of your answer. Your previous answer strongly suggested that it was not possible to sign a zip-aligned file. That was incorrect. –
Fanaticism
@dmdrummond, No, It didn't. You may reread the preedit version (stackoverflow.com/posts/13026461/revisions) –
Nataline
Removing signingConfig signingConfigs.debug in release config in build.gradle is worked for me;
release
{
//signingConfig signingConfigs.debug -> removed
}
© 2022 - 2025 — McMap. All rights reserved.