Signing with apksigner and APK Signature scheme v2
When do we sign using the apksigner?
APK Signature Scheme v2 was introduced in Android 7.0 to protect apk file more vital. After that, APK Signature Scheme v3 was introduced in Android 9.0 and APK Signature Scheme v4 was introduced in Android 11.0.
-signature verification process by google-
Before APK Signature Scheme v2, the signing was based on Signed JAR using the jarsigner, and it is started to be based on apksigner since v2.
Then, in which cases do we sign using the apksigner?
- In case of Signature Versions v2 option was selected when building an app. (APK Signature Scheme v2)
- In case of targetSdkVersion was set higher than 30 when building an app
For above cases, signing must be done using the apksigner. There are no major problems for an app to be installed and run when signing with the jarsigner, but an error could be occurred when uploading the app on Google Play Console.
How to check Signature Scheme version for an app
1.Check it from Android studio
It is V2 version in case 'V2 (Full APK Signature)' is checked in the 'Generate Signed Bundle or APK'
-signature version select in Androidstudio-
2.Check it from Command
java -jar [apksigner.jar Path] verify -v --print-certs [Apk’s Path before applying LIAPP]
Ex) C:>java -jar D:\android\sdk\build-tools\28.0.0\lib\apksigner.jar verify -v --print-certs C:\app-release.apk
If Verified using v2 scheme (APK Signature Scheme v2) is true then it is V2, is false then it is V1.
zipalign
Important point is, If you use apksigner, zipalign must only be performed before the APK file has been signed. If you sign your APK using apksigner and make further changes to the APK, its signature is invalidated. Therefore, zipalign must only be performed before signing apk.
zipalign -f -v 4 "apk file Path that needs zipalign" "apk file Path that will be saved after zipalign-ing "
-zipalign command in windows cmd-
Signing with apksigner
It is simple to sign with apksigner on completed zipalign file as below.
[ Windows ]
java -jar [APKSIGNER_PATH] sign -v --out [SAVED_APK_PATH] --ks [KEYSTORE_PATH] --ks-key-alias [ALIAS_NAME] [APK_FILE_PATH]
[ MAC ]
[APKSIGNER_PATH] sign -v --out [SAVED_APK_PATH] --ks [KEYSTORE_PATH] --ks-key-alias [ALIAS_NAME] [APK_FILE_PATH]
[APKSIGNER_PATH] is the place where apksigner is located. The apksigner tool, available in revision 24.0.3 and higher of the Android SDK Build Tools and you can check it as below.
1)Check SDK path in the Android Studio Tool menu => SDK Manager => Android SDK Location path check
2)Check Apksigner file from the SDK directory SDK Directory => build-tools directory =>buildToolsVersion directory =>lib directory =>check apksigner.jar file In case of MAC, check apksigner file from the buildToolsVersion directory
A message to enter the password for the keystore will appear once you proceed a command.
Keystore password for signer #1:
When typing the keystore password, the password characters will not be displayed on the screen, but they are actually entered. Once the correct keystore password has been entered, you can proceed with the next step. If the keystore password and key password are identical, the signing will proceed immediately. If the keystore password and key password are different, you will be prompted to enter the key password.
Key "KEY_NAME" password for signer #1:
Once the correct key password has been entered, signing will proceed and "Signed." will be displayed when the signing is completed.
-apksigner command in windows cmd-
If you use –ks-pass pass: and –key-pass:pass option in the command line, you can set password beforehand and command. If you use this option, the message to enter password will not be shown, just automatically entered.
[ Windows ]
java -jar [APKSIGNER_PATH] sign -v --out [SAVED_APK_PATH] --ks [KEYSTORE_PATH] --ks-pass pass:"keystore_password" --key-pass pass:"key_password" --ks-key-alias [ALIAS_NAME] [APP_FILE_PATH]
[ MAC ]
[APKSIGNER_PATH] sign -v --out [SAVED_APK_PATH] --ks [KEYSTORE_PATH] --ks-pass pass:"keystore_password" --key-pass pass:"key_password" --ks-key-alias [ALIAS_NAME] [APP_FILE_PATH]
Come to LIAPP Tech blog to see for more information on how to verify signing!
If you have further questions and inquiries, please leave them the comment section below :)