LinuxCommandLibrary

apksigner

Signs Android application packages

SYNOPSIS

apksigner sign|verify [options] <input.apk>

PARAMETERS

--ks keystore
    Keystore file containing signing key (required for sign)

--ks-key-alias alias
    Alias of key in keystore (required for sign)

--ks-pass pass:pwd
    Keystore password (prompt if omitted)

--key-pass pass:pwd
    Key password (defaults to keystore password)

--ks-type type
    Keystore type (e.g., JKS, PKCS12; default JKS)

--ks-debug
    Use debug keystore for signing

--provider-name name
    Cryptographic provider class name

--out output.apk
    Output APK file (overwrites input if omitted)

--in input.apk
    Input APK file

--v1-signing-enabled[=true|false]
    Enable JAR signing scheme (default true)

--v2-signing-enabled[=true|false]
    Enable APK Signature Scheme v2 (default true)

--v3-signing-enabled[=true|false]
    Enable v3 signing for incremental installs

--v4-signing-enabled[=true|false]
    Enable v4 signing (Android 11+)

--min-sdk-version api-level
    Minimum SDK for signature checks

--max-sdk-version api-level
    Maximum SDK for signature checks

--verbose
    Verbose output

--print-certs
    Print certificate details

--print-warnings
    Print warnings during verification

--max-errors num
    Max errors before stopping verify (default 20)

--enable-debian-timestamp
    Use Debian timestamp server for signing

DESCRIPTION

apksigner is a command-line tool from the Android SDK Build Tools used to sign and verify Android Package (APK) files. It applies cryptographic signatures to ensure APK integrity, authenticity, and compatibility with Google Play Store requirements.

Signing creates v1 signatures (JAR signing), v2 (full APK signature scheme for faster verification), v3 (with incremental updates), and v4 (additional security). It replaces the older jarsigner tool, offering better support for APK-specific features like resource alignment and scheme rotation.

Common workflow: Generate a keystore with keytool, sign the APK with apksigner sign, optionally align with zipalign, then verify. Unsigned APKs fail installation on production devices. Verification checks signatures without extracting the APK, detecting tampering or mismatches.

Requires Android SDK Build Tools installed (e.g., via sdkmanager). Runs on Linux, macOS, Windows. Supports JKS, PKCS#12 keystores. Essential for Android developers publishing apps.

CAVEATS

Not a standard Linux package; install via Android SDK. Requires Java runtime. Signing overwrites APK unless --out used. Debug keystores insecure for production. v2+ faster but incompatible with older devices unless v1 enabled.

SUBCOMMANDS

sign: Applies signatures to APK.
verify: Checks APK signatures and integrity.

EXAMPLE

apksigner sign --ks my.keystore.jks --ks-key-alias myalias app.apk
Enter passwords when prompted.
apksigner verify --verbose app.apk

HISTORY

Introduced in Android SDK Build Tools 24.0.0 (March 2016) to modernize APK signing beyond jarsigner. Added v2 support in 24.0.2, v3 in 28.0.0 (2018), v4 in 30.0.0 (2020). Continuously updated for new Android security schemes.

SEE ALSO

jarsigner(1), keytool(1), zipalign

Copied to clipboard