Skip to main content
This section shows how to sign an APK with APKSigner and provides a demonstration.

Sign an APK

Find the apksigner module at /Android/sdk/build-tools/<version>/ and perform the following steps to sign an APK with APKSigner:
1
If using Java JDK version newer than 17, run the following command:
Shell
sudo nano /Android/sdk/build-tools/<version>/apksigner
and replace javaOpts="" with the following line:
None
javaOpts="--add-opens=jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED"
2
To sign an APK with Android APKSigner, run the following command:
Adjust the values for the following arguments to match your environment:
  • —ks-key-alias: The key alias you provided in the previous section, such as Android APK Signer:apksignerdemo:C. Note: If there are spaces in the key alias, make sure to wrap the entire alias in double-quotes.
  • —in: The .apk file you want to sign, including the full path to the file if necessary.
  • —out: The name of the signed .apk file, including the full path if necessary.
Shell
sudo ./apksigner sign --provider-class sun.security.pkcs11.SunPKCS11 --ks NONE --ks-type PKCS11 --ks-key-alias <key-alias> --in <unsigned.apk> --out <signed.apk>
When prompted for the keystore password for signer #1, enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
3
To verify the signature of the output file, run the following command:
Shell
sudo ./apksigner verify -verbose <signed.apk>
You should see output similar to the following example:
Shell
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
In the preceding example, multiple signatures occurred for different Android signing versions. To only sign with one signing version type, add the following flags to your command and enable only the version you want to use to sign:
Shell
--v1-signing-enabled <true or false> --v2-signing-enabled <true or false> --v3-signing-enabled <true or false> --v4-signing-enabled <true or false>

APKSigner demonstration

The following example demonstrates a signing command with APKSigner:
Shell
sudo ./apksigner sign --provider-class "sun.security.pkcs11.SunPKCS11" --ks NONE --ks-type PKCS11 --ks-key-alias "Android APK Signer:apksignerdemo:C" --in /root/AndroidStudioProjects/MyApplication/app/build/outputs/apk/debug/app-debug.apk --out /root/AndroidStudioProjects/MyApplication/app/build/outputs/apk/debug/signed-app-debug.apk
The following example demonstrates a verification command with APKSigner:
Shell
sudo ./apksigner verify -verbose /root/AndroidStudioProjects/MyApplication/app/build/outputs/apk/debug/signed-app-debug.apk
For more information on APKSigner and its functions, refer to the Android Developer Documentation ( developer.android.com/tools/apksigner).