Sign APKs with Android APKSigner by using Futurex PKCS #11

3min
This section shows how to sign an APK with APKSigner and provides a demonstration.
Sign an APK with APKSigner
Find the apksigner module at /Android/sdk/build-tools/<version>/ and perform the following steps:
1
To sign an APK with Android APKSgner, run the following command:
Adjust the values for the following arguments to match your environment:
--ks-pass: The password set for the keystore when you created it in the previous section,
--ks-key-alias: The key alias you provided in the previous section, such as apksignerdemo.
--in: The .apk file you want to sign, including the full path to the file if necessary. 
--out: The name of the signed .apk file, including the full path if necessary.
Shell
sudo ./apksigner sign -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex  --ks NONE --ks-type PKCS11 --ks-pass pass:<keystore password> --ks-key-alias <key alias> --in <unsigned.apk> --out <signed.apk> 

sudo ./apksigner sign -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex  --ks NONE --ks-type PKCS11 --ks-pass pass:<keystore password> --ks-key-alias <key alias> --in <unsigned.apk> --out <signed.apk> 
﻿
2
To verify the signature of the output file, run the following command:
Shell
sudo ./apksigner verify -verbose <signed.apk> 
sudo ./apksigner verify -verbose <signed.apk> 
﻿
You should see output similar to the following example:
Shell
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
﻿
In the preceding example, multiple signatures occurred for different Android signing versions.  To only sign with one signing version type, add the following flags to your command and enable only the version you want to use to sign:
Shell
--v1-signing-enabled <true or false> --v2-signing-enabled <true or false> --v3-signing-enabled <true or false> --v4-signing-enabled <true or false>
--v1-signing-enabled <true or false> --v2-signing-enabled <true or false> --v3-signing-enabled <true or false> --v4-signing-enabled <true or false>
﻿
APKSigner demonstration
The following example demonstrates a signing command with APKSigner:
Shell
sudo ./apksigner sign --provider-class "fx.security.pkcs11.SunPKCS11"  --ks NONE --ks-type PKCS11 --ks-pass pass:safest --ks-key-alias apksigner --in /root/AndroidStudioProjects/MyApplication/app/build/outputs/apk/debug/app-debug.apk --out /root/AndroidStudioProjects/MyApplication/app/build/outputs/apk/debug/signed-app-debug.apk 
sudo ./apksigner sign --provider-class "fx.security.pkcs11.SunPKCS11"  --ks NONE --ks-type PKCS11 --ks-pass pass:safest --ks-key-alias apksigner --in /root/AndroidStudioProjects/MyApplication/app/build/outputs/apk/debug/app-debug.apk --out /root/AndroidStudioProjects/MyApplication/app/build/outputs/apk/debug/signed-app-debug.apk 
﻿
The following example demonstrates a verification command with APKSigner:
Shell
sudo ./apksigner verify -verbose /root/AndroidStudioProjects/MyApplication/app/build/outputs/apk/debug/signed-app-debug.apk 
sudo ./apksigner verify -verbose /root/AndroidStudioProjects/MyApplication/app/build/outputs/apk/debug/signed-app-debug.apk 
﻿
For more information on APKSigner and its functions, refer to the Android Developer Documentation. 
Updated 29 Aug 2024
Did this page help you?
Create a Java keystore
Java Jarsigner