The apksigner
tool, available in revision 24.0.3 and higher of
the Android SDK Build Tools, allows you to sign APKs and to confirm that an
APK's signature will be verified successfully on all versions of the Android
platform supported by those APKs. This page presents a short guide for using
the tool and serves as a reference for the different command-line options that
the tool supports. For a more complete description of how the
apksigner
tool is used for signing your APKs, see the Signing Your Application guide.
Caution: If you sign your APK using apksigner
and make further changes to the APK, the APK's signature is invalidated.
Therefore, you must use tools such as zipalign
before signing
your APK.
The syntax for signing an APK using the apksigner
tool is as
follows:
apksigner sign --ks keystore.jks | --key key.pk8 --cert cert.x509.pem [signer_options] app-name.apk
When you sign an APK using the apksigner
tool, you must provide
the signer's private key and certificate. You can include this information in
two different ways:
--ks
option.
--key
and --cert
options, respectively. The
private key file must use the PKCS #8 format, and the certificate file must
use the X.509 format.
Usually, you sign an APK using only one signer. In the event that you need to
sign an APK using multiple signers, use the --next-signer
option
to separate the set of general options to
apply to each signer:
apksigner sign [signer_1_options] --next-signer [signer_2_options] app-name.apk
The syntax for confirming that an APK's signature will be verified successfully on supported platforms is as follows:
apksigner verify [options] app-name.apk
The following lists include the set of options for each command that the
apksigner
tool supports.
The following options specify basic settings to apply to a signer:
--out <apk-filename>
--min-sdk-version <integer>
apksigner
uses to
confirm that the APK's signature will be verified. Higher values allow the
tool to use stronger security parameters when signing the app but limit
the APK's availability to devices running more recent versions of Android.
By default, apksigner
uses the value of the
minSdkVersion
attribute from the app's manifest file.
--max-sdk-version <integer>
apksigner
uses
to confirm that the APK's signature will be verified. By default, the tool
uses the highest possible API level.
--v1-signing-enabled <true | false>
apksigner
signs the given APK package
using the traditional, JAR-based signing scheme. By default, the tool uses
the values of --min-sdk-version
and
--max-sdk-version
to decide when to apply this signature
scheme.
--v2-signing-enabled <true | false>
apksigner
signs the given APK package
using the APK
Signature Scheme v2. By default, the tool uses the values of
--min-sdk-version
and --max-sdk-version
to decide
when to apply this signature scheme.
-v
, --verbose
The following options specify the configuration of a particular signer. These options aren't necessary if you sign your app using only one signer.
--next-signer <signer-options>
--v1-signer-name <basename>
apksigner
uses the key alias of
the KeyStore or the basename of the key file for this signer.
The following options specify the signer's private key and certificate:
--ks <filename>
"NONE"
,
the KeyStore containing the key and certificate doesn't need a file
specified, which is the case for some PKCS #11 KeyStores.
--ks-key-alias <alias>
--ks-pass <input-format>
The password for the KeyStore that contains the signer's private key and
certificate. You must provide a password to open a KeyStore. The
apksigner
tool supports the following formats:
pass:<password>
– Password provided inline
with the rest of the apksigner sign
command.
env:<name>
– Password is stored in the given
environment variable.
file:<filename>
– Password is stored as a
single line in the given file.
stdin
– Password is provided as a single line in
the standard input stream. This is the default behavior for
--ks-pass
.
Note: If you include multiple passwords in the same
file, specify them on separate lines. The apksigner
tool
associates passwords with an APK's signers based on the order in which
you specify the signers. If you've provided two passwords for a signer,
apksigner
interprets the first password as the KeyStore
password and the second one as the key password.
--key-pass <input-format>
The password for the signer's private key, which is needed if the
private key is password-protected. The apksigner
tool
supports the following formats:
pass:<password>
– Password provided inline
with the rest of the apksigner sign
command.
env:<name>
– Password is stored in the given
environment variable.
file:<filename>
– Password is stored as a
single line in the given file.
stdin
– Password is provided as a single line in
the standard input stream. This is the default behavior for
--key-pass
.
Note: If you include multiple passwords in the same
file, specify them on separate lines. The apksigner
tool
associates passwords with an APK's signers based on the order in which
you specify the signers. If you've provided two passwords for a signer,
apksigner
interprets the first password as the KeyStore
password and the second one as the key password.
--ks-type <algorithm>
apksigner
uses the type defined as the keystore.type
constant in the
Security properties file.
--ks-provider-name <name>
apksigner
uses the
highest-priority provider.
--ks-provider-class <class-name>
--ks-provider-name
. By default, apksigner
uses the provider specified with the --ks-provider-name
option.
--ks-provider-arg <value>
--ks-provider-class
option. By default, apksigner
uses the class's 0-argument constructor.
--key <filename>
apksigner
prompts for the password using standard input
unless you specify a different kind of input format using the
--key-pass
option.
--cert <filename>
--print-certs
--min-sdk-version <integer>
apksigner
uses to
confirm that the APK's signature will be verified. Higher values allow the
tool to use stronger security parameters when signing the app but limit
the APK's availability to devices running more recent versions of Android.
By default, apksigner
uses the value of the
minSdkVersion
attribute from the app's manifest file.
--max-sdk-version <integer>
apksigner
uses
to confirm that the APK's signature will be verified. By default, the tool
uses the highest possible API level.
-v
, --verbose
-Werr
Sign an APK using release.jks
, which is the only key in the
KeyStore:
$ apksigner sign --ks release.jks app.apk
Sign an APK using a private key and certificate, stored as separate files:
$ apksigner sign --key release.pk8 --cert release.x509.pem app.apk
Sign an APK using two keys:
$ apksigner sign --ks first-release-key.jks --next-signer --ks second-release-key.jks app.apk
Check whether the APK's signatures are expected to be confirmed as valid on all Android platforms that the APK supports:
$ apksigner verify app.apk
Check whether the APK's signatures are expected to be confirmed as valid on Android 4.0.3 (API level 15) and higher:
$ apksigner verify --min-sdk-version 15 app.apk