apksigner
Signs Android application packages
SYNOPSIS
apksigner command [options] apk_file(s)
Common commands:
sign [options] input_apk [--out output_apk]
verify [options] apk_file
rotate [options] apk_file
PARAMETERS
--ks
Path to the keystore file containing the signing key.
--ks-key-alias
Alias of the private key to be used for signing within the keystore.
--ks-pass
Password for the keystore. Can be 'pass:
--key-pass
Password for the private key. Can be 'pass:
--min-sdk-version
Minimum Android SDK version supported by the APK, relevant for signature scheme eligibility.
--v1-signing-enabled
Enable or disable traditional JAR signing (APK Signature Scheme v1).
--v2-signing-enabled
Enable or disable APK Signature Scheme v2 (Android 7.0+).
--v3-signing-enabled
Enable or disable APK Signature Scheme v3 (Android 9.0+), supporting signature rotation.
--v4-signing-enabled
Enable or disable APK Signature Scheme v4 (Android 11+), for streaming installations.
--in
Specifies the input APK file for signing or verification operations.
--out
Specifies the output APK file path after signing. If not provided, the input file may be overwritten.
--print-certs
For the 'verify' command, prints details about the certificates used to sign the APK.
--verbose
Prints more detailed output for commands like 'verify', including signature verification results.
--debug
Enables debug output for troubleshooting purposes.
DESCRIPTION
apksigner is a command-line tool, part of the Android SDK Build-Tools, essential for signing Android application packages (APKs). Proper signing ensures the integrity and authenticity of an app, allowing Android devices and the Google Play Store to verify its origin and detect any tampering. It supports the modern APK Signature Scheme v2, v3, and v4, which offer improved security, faster installation, and enhanced features like signature rotation and incremental installation, superseding the older jarsigner tool for Android app signing. Beyond signing, apksigner can also verify existing APK signatures, providing detailed information about the certificates and schemes used, making it an indispensable tool for Android developers and security analysts.
CAVEATS
apksigner requires a Java Development Kit (JDK) to be installed and configured in your system's PATH. It is distributed as part of the Android SDK Build-Tools, meaning its exact location may vary depending on your SDK installation. For modern Android app distribution, it's the recommended tool, as APK Signature Schemes v2, v3, and v4 are crucial for integrity, performance, and compatibility on newer Android versions and with Google Play.
APK SIGNATURE SCHEMES
V1 (JAR Signing): The traditional scheme, compatible with all Android versions. It signs the entire APK's JAR entries. Does not protect against all modifications after signing.
V2 (APK Signature Scheme v2): Introduced in Android 7.0 (Nougat). This scheme signs the entire APK as a single blob. It offers stronger integrity guarantees and significantly faster verification/installation.
V3 (APK Signature Scheme v3): Introduced in Android 9.0 (Pie). Builds upon V2 by adding a new signature block that allows for signature rotation, enabling developers to change their app's signing key over time while maintaining update continuity.
V4 (APK Signature Scheme v4): Introduced in Android 11. Primarily designed to support streaming installations via ADB and Google Play, making installation of large APKs faster and more efficient by hashing the entire APK contents externally.
HISTORY
apksigner was introduced with Android SDK Build-Tools 24.0.3 in mid-2016 to support the then-new APK Signature Scheme v2. This scheme offered significant improvements in app integrity verification and installation speed compared to the traditional JAR signing (v1). Subsequent versions of the Android SDK added support for v3 (Android 9.0, enabling key rotation) and v4 (Android 11, facilitating streaming installations). It quickly became the officially recommended tool for signing Android applications, effectively deprecating the use of jarsigner for APKs.