[TECH] Signing with apksigner and APK Signature scheme v2

This is explanatory guide for how to sign Android APK file manually for APK Signature scheme v2 signing system using the apksigner, and zipalign.


[TECH] Signing with apksigner and APK Signature scheme v2

In the previous post ( ANDROID APP SIGNING & ZIPALIGN ) we discussed how to sign with jarsigner on apk and aab files using the APK Signature Scheme v1.
This post, we will be discussing about signing apk file using the apksigner.
You might wonder why we need to know about signing using the apksigner when we can use jarsigner.
APK Signature Scheme v2 was introduced in Android 7.0 to protect apk file more vital.
After that, APK Signature Scheme v3 was introduced in Android 9.0 and APK Signature Scheme v4 was introduced in Android 11.0.
signature verification process by google
Before APK Signature Scheme v2, the signing was based on Signed JAR using the jarsigner, and it is started to be based on apksigner since v2.

Then, in which cases do we sign using the apksigner?

1) In case of Signature Versions v2 option was selected when building an app. (APK Signature Scheme v2)
2) In case of targetSdkVersion was set higher than 30 when building an app

For above cases, signing must be done using the apksigner.
There are no major problems for an app to be installed and run when signing with the jarsigner, but an error could be occurred when uploading the app on Google Play Console.

How to check Signature Scheme version for an app

1. Check it from Android studio
It is V2 version in case 'V2 (Full APK Signature)' is checked in the 'Generate Signed Bundle or APK'
signature version select in Androidstudio
2. Check it from Command
java -jar [apksigner.jar Path] verify -v --print-certs [Apk’s Path before applying LIAPP]
Ex) C:\>java -jar D:\android\sdk\build-tools\28.0.0\lib\apksigner.jar verify -v --print-certs C:\app-release.apk

If Verified using v2 scheme (APK Signature Scheme v2) is true then it is V2, is false then it is V1.


Important point is, If you use apksigner, zipalign must only be performed before the APK file has been signed.
If you sign your APK using apksigner and make further changes to the APK, its signature is invalidated.
Therefore, zipalign must only be performed before signing apk.

zipalign -f -v 4 "apk file Path that needs zipalign" "apk file Path that will be saved after zipalign-ing "
zipalign command in windows cmd

Signing with apksigner

It is simple to sign with apksigner on completed zipalign file as below.

[ Windows ]
java -jar [APKSIGNER_PATH] sign -v --out [SAVED_APK_PATH] --ks [KEYSTORE_PATH] --ks-key-alias [ALIAS_NAME] [APK_FILE_PATH]
[ MAC ]
[APKSIGNER_PATH] is the place where apksigner is located.
The apksigner tool, available in revision 24.0.3 and higher of the Android SDK Build Tools and you can check it as below.

1) Check SDK path in the Android Studio
Tool menu => SDK Manager => Android SDK Location path check
2) Check Apksigner file from the SDK directory
SDK Directory => build-tools directory =>buildToolsVersion directory =>lib directory =>check apksigner.jar file
In case of MAC, check apksigner file from the buildToolsVersion directory
A message to enter the password for the keystore will appear once you proceed a command.

Keystore password for signer #1:

When typing the keystore password, the password characters will not be displayed on the screen, but they are actually entered.
Once the correct keystore password has been entered, you can proceed with the next step.
If the keystore password and key password are identical, the signing will proceed immediately.
If the keystore password and key password are different, you will be prompted to enter the key password.

Key "KEY_NAME" password for signer #1:

Once the correct key password has been entered, signing will proceed and "Signed." will be displayed when the signing is completed.
apksigner command in windows cmd
If you use –ks-pass pass: and –key-pass:pass option in the command line, you can set password beforehand and command.
If you use this option, the message to enter password will not be shown, just automatically entered.

[ Windows ]
java -jar [APKSIGNER_PATH] sign -v --out [SAVED_APK_PATH] --ks [KEYSTORE_PATH] --ks-pass pass:"keystore_password" --key-pass pass:"key_password" --ks-key-alias [ALIAS_NAME] [APP_FILE_PATH]
[ MAC ]
[APKSIGNER_PATH] sign -v --out [SAVED_APK_PATH] --ks [KEYSTORE_PATH] --ks-pass pass:"keystore_password" --key-pass pass:"key_password" --ks-key-alias [ALIAS_NAME] [APP_FILE_PATH]

Verify Signing

To check if signing with the apksigner is applied well, you can use below command.

[ Windows ]
java -jar [APKSIGNER_PATH] verify -v --print-certs [APP_FILE_PATH]
[ MAC ]
[APKSIGNER_PATH] verify -v --print-certs [APP_FILE_PATH]

If signing works properly, you can check "Verified using v2 scheme (APK Signature Scheme v2): true" as below.
verify signing command in windows cmd

zipalign & Signing with script file

So we have gone through how to sign with the apksigner.
To proceed this process easily, we are sharing script file.

[ Bat file for Window users]

[ Sh file for MAC users]

After you download the file, open with notepad or text editor. Save after you edit below contents.

KeyStorePath="Keystore Path"
ALIAS_NAME="Alias Name"
STORE_PASS="Keystore Password"
KEY_PASS="Key Password"
ZIP_ALIGN="zipalign file path"
APKSIGNER_PATH="apksigner file path"

The zipalign and apksigner files are located in build-tools in the path where Android SDK is installed.
If you want to enter your own password without saving it, --ks-pass and --key-pass related options need to be removed.

Windows users can drag the app file to be signed to the LIAPP_sign_window.bat file and it will run immediately.
MAC users can run a terminal program either by dragging script files and app files in order, or entering paths as shown below.

Ex. /Users/username/Downloads/LIAPP_apksign_mac.sh /Users/username/AndroidStudioProjects/MyApplication/app/release/app-release.apk
When you see ‘Permission denied’ message on Mac, you can give a permission to run as below.

Ex. chmod +x /Users/username/Downloads/LIAPP_apksign_mac.sh

Once it runs properly, zipalign will be performed first, and then signing will be done.
If the message "Signed." has been confirmed without any issues during the signing process, press any key to proceed with signing.
The completed file is saved with _signed following the file name.

For more information on signing using apksigner and APK Signature Scheme, please refer to the URL below.

apksigner : https://developer.android.com/studio/command-line/apksigner
app-signing : https://developer.android.com/studio/publish/app-signing
APK Signature Scheme : https://source.android.com/security/apksigning

LIAPP, we provide the best service possible.


#android_application_security #ios_application_security #ios_application_security #source_code_hardening #android_app_bundle #AAB #APK #Android App Bundle #mobile_application_security #mobile_game_security #source_code_security #Anti-tampering #anti_memory_dump #anti_malware #detecting_hacktools #anti_repackaging