1USAGE: apksigner sign [options] apk 2 3This signs the provided APK, stripping out any pre-existing signatures. Signing 4is performed using one or more signers, each represented by an asymmetric key 5pair and a corresponding certificate. Typically, an APK is signed by just one 6signer. For each signer, you need to provide the signer's private key and 7certificate. 8 9 10 GENERAL OPTIONS 11 12--in Input APK file to sign. This is an alternative to 13 specifying the APK as the very last parameter, after all 14 options. Unless --out is specified, this file will be 15 overwritten with the resulting signed APK. 16 17--out File into which to output the signed APK. By default, the 18 APK is signed in-place, overwriting the input file. 19 20-v, --verbose Verbose output mode 21 22--v1-signing-enabled Whether to enable signing using JAR signing scheme (aka v1 23 signing scheme) used in Android since day one. By default, 24 signing using this scheme is enabled based on min and max 25 SDK version (see --min-sdk-version and --max-sdk-version). 26 27--v2-signing-enabled Whether to enable signing using APK Signature Scheme v2 28 (aka v2 signing scheme) introduced in Android Nougat, 29 API Level 24. By default, signing using this scheme is 30 enabled based on min and max SDK version (see 31 --min-sdk-version and --max-sdk-version). 32 33--v3-signing-enabled Whether to enable signing using APK Signature Scheme v3 34 (aka v3 signing scheme) introduced in Android P, 35 API Level 28. By default, signing using this scheme is 36 enabled based on min and max SDK version (see 37 --min-sdk-version and --max-sdk-version). Multiple 38 signers are not supported when using v3 signing, but 39 multiple signers may be provided in conjunction with the 40 "lineage" option to make sure that the app is signed by 41 an appropriate signer on all supported platform versions. 42 43--v4-signing-enabled Whether to enable signing using APK Signature Scheme v4 44 (aka v4 signing scheme) introduced in Android 11, 45 API Level 30. By default, signing using this scheme is 46 enabled based on min and max SDK version (see 47 --min-sdk-version and --max-sdk-version). 48 49--force-stamp-overwrite Whether to overwrite existing source stamp in the 50 APK, if found. By default, it is set to false. It has no 51 effect if no source stamp signer config is provided. 52 53--align-file-size Produces APK file sized as multiples of 4K bytes. 54 55--verity-enabled Whether to enable the verity signature algorithm for the 56 v2 and v3 signature schemes. 57 58--min-sdk-version Lowest API Level on which this APK's signatures will be 59 verified. By default, the value from AndroidManifest.xml 60 is used. The higher the value, the stronger security 61 parameters are used when signing. 62 63--max-sdk-version Highest API Level on which this APK's signatures will be 64 verified. By default, the highest possible value is used. 65 66--rotation-min-sdk-version Lowest API Level for which an APK's rotated signing 67 key should be used to produce the APK's signature. The 68 original signing key for the APK will be used for all 69 previous platform versions. Specifying a value <= 32 70 (Android Sv2) will result in the original V3 signing block 71 being used without platform targeting. By default, 72 rotated signing keys will be used with the V3.1 signing 73 block which supports Android T+. 74 75--rotation-targets-dev-release The specified rotation-min-sdk-version is intended 76 for a platform release under development. During development 77 of a new platform, the API Level of the previously released 78 platform is used as the API Level of the development 79 platform until the SDK is finalized. This flag allows 80 targeting signing key rotation to a development platform 81 with API Level X while preventing the rotated key from being 82 used on the latest release platform with API Level X. 83 84--debuggable-apk-permitted Whether to permit signing android:debuggable="true" 85 APKs. Android disables some of its security protections 86 for such apps. For example, anybody with ADB shell access 87 can execute arbitrary code in the context of a debuggable 88 app and can read/write persistently stored data of the 89 app. It is a good security practice to not sign 90 debuggable APKs with production signing keys, because 91 such APKs puts users at risk once leaked. 92 By default, signing debuggable APKs is permitted, for 93 backward compatibility with older apksigner versions. 94 95--alignment-preserved Whether the existing alignment within the APK should 96 be preserved; the default for this setting is false. 97 When this value is false, the value provided to 98 --lib-page-alignment will be used to page align native 99 library files and all other files will be aligned to 4 100 bytes in the APK. 101 102--lib-page-alignment The number of bytes to be used to page align native 103 library files in the APK; the default value is 16384. 104 105--lineage Signing certificate history to use in the event that 106 signing certificates changed for an APK using APK 107 Signature Scheme v3 supported signing certificate 108 rotation. This object may be created by the apksigner 109 "rotate" command. If used, all signers used to sign the 110 APK must be present in the signing lineage, 111 and if v1 or v2 signing is enabled, the first (oldest) 112 entry in the lineage must have a signer provided, so that 113 it can be used for those v1 and/or v2 signing. Multiple 114 signers are not supported when using APK Signature Scheme 115 v3, so multiple signers input will correspond to different 116 points in the lineage and will be used on older platform 117 versions when the newest signer in the lineage is 118 unsupported. 119 An APK previously signed with a SigningCertificateLineage 120 can also be specified; the lineage will then be read from 121 the signed data in the APK. 122 123--deterministic-dsa-signing When signing with the DSA signature algorithm, 124 whether to use the deterministic version as specified in 125 RFC 6979. 126 127--append-signature Appends the current signature to any signatures that 128 already exist within the APK. This option can be used 129 when an APK is signed by multiple independent signers to 130 allow each to add their own signature without needing to 131 share their private key. This option can also be used to 132 preserve existing key / value blocks that exist within the 133 APK signing block. 134 135-h, --help Show help about this command and exit 136 137 138 PER-SIGNER OPTIONS 139These options specify the configuration of a particular signer. To delimit 140options of different signers, use --next-signer. 141 142--next-signer Delimits options of two different signers. There is no 143 need to use this option when only one signer is used. 144 145--v1-signer-name Basename for files comprising the JAR signature scheme 146 (aka v1 scheme) signature of this signer. By default, 147 KeyStore key alias or basename of key file is used. 148 149--stamp-signer The signing information for the signer of the source stamp 150 to be included in the APK. 151 152--signer-for-min-sdk-version <SDK> Requires an int value indicating the minimum 153 SDK version for which this signing config should be used 154 to produce the APK's signature. The value should be >= 28 155 (Android P), and any value <= 32 will apply to Android P 156 through Sv2 (SDK versions 28 - 32); since the V3.0 157 signature scheme does not support verified SDK version 158 targeting, only a single signing config <= 32 can be 159 specified. 160 161--signer-lineage The lineage to be used for the current SDK targeted 162 signing config. 163 164 PER-SIGNER SIGNING KEY & CERTIFICATE OPTIONS 165There are two ways to provide the signer's private key and certificate: (1) Java 166KeyStore (see --ks), or (2) private key file in PKCS #8 format and certificate 167file in X.509 format (see --key and --cert). 168 169--ks Load private key and certificate chain from the Java 170 KeyStore initialized from the specified file. NONE means 171 no file is needed by KeyStore, which is the case for some 172 PKCS #11 KeyStores. 173 174--ks-key-alias Alias under which the private key and certificate are 175 stored in the KeyStore. This must be specified if the 176 KeyStore contains multiple keys. 177 178--ks-pass KeyStore password (see --ks). The following formats are 179 supported: 180 pass:<password> password provided inline 181 env:<name> password provided in the named 182 environment variable 183 file:<file> password provided in the named 184 file, as a single line 185 stdin password provided on standard input, 186 as a single line 187 A password is required to open a KeyStore. 188 By default, the tool will prompt for password via console 189 or standard input. 190 When the same file (including standard input) is used for 191 providing multiple passwords, the passwords are read from 192 the file one line at a time. Passwords are read in the 193 order in which signers are specified and, within each 194 signer, KeyStore password is read before the key password 195 is read. 196 197--key-pass Password with which the private key is protected. 198 The following formats are supported: 199 pass:<password> password provided inline 200 env:<name> password provided in the named 201 environment variable 202 file:<file> password provided in the named 203 file, as a single line 204 stdin password provided on standard input, 205 as a single line 206 If --key-pass is not specified for a KeyStore key, this 207 tool will attempt to load the key using the KeyStore 208 password and, if that fails, will prompt for key password 209 and attempt to load the key using that password. 210 If --key-pass is not specified for a private key file key, 211 this tool will prompt for key password only if a password 212 is required. 213 When the same file (including standard input) is used for 214 providing multiple passwords, the passwords are read from 215 the file one line at a time. Passwords are read in the 216 order in which signers are specified and, within each 217 signer, KeyStore password is read before the key password 218 is read. 219 220--pass-encoding Additional character encoding (e.g., ibm437 or utf-8) to 221 try for passwords containing non-ASCII characters. 222 KeyStores created by keytool are often encrypted not using 223 the Unicode form of the password but rather using the form 224 produced by encoding the password using the console's 225 character encoding. apksigner by default tries to decrypt 226 using several forms of the password: the Unicode form, the 227 form encoded using the JVM default charset, and, on Java 8 228 and older, the form encoded using the console's charset. 229 On Java 9, apksigner cannot detect the console's charset 230 and may need to be provided with --pass-encoding when a 231 non-ASCII password is used. --pass-encoding may also need 232 to be provided for a KeyStore created by keytool on a 233 different OS or in a different locale. 234 235--ks-type Type/algorithm of KeyStore to use. By default, the default 236 type is used. 237 238--ks-provider-name Name of the JCA Provider from which to request the 239 KeyStore implementation. By default, the highest priority 240 provider is used. See --ks-provider-class for the 241 alternative way to specify a provider. 242 243--ks-provider-class Fully-qualified class name of the JCA Provider from which 244 to request the KeyStore implementation. By default, the 245 provider is chosen based on --ks-provider-name. 246 247--ks-provider-arg Value to pass into the constructor of the JCA Provider 248 class specified by --ks-provider-class. The value is 249 passed into the constructor as java.lang.String. By 250 default, the no-arg provider's constructor is used. 251 252--key Load private key from the specified file. If the key is 253 password-protected, the password will be prompted via 254 standard input unless specified otherwise using 255 --key-pass. The file must be in PKCS #8 DER format. 256 257--cert Load certificate chain from the specified file. The file 258 must be in X.509 PEM or DER format. 259 260 261 JCA PROVIDER INSTALLATION OPTIONS 262These options enable you to install additional Java Crypto Architecture (JCA) 263Providers, such as PKCS #11 providers. Use --next-provider to delimit options of 264different providers. Providers are installed in the order in which they appear 265on the command-line. 266 267--provider-class Fully-qualified class name of the JCA Provider. 268 269--provider-arg Value to pass into the constructor of the JCA Provider 270 class specified by --provider-class. The value is passed 271 into the constructor as java.lang.String. By default, the 272 no-arg provider's constructor is used. 273 274--provider-pos Position / priority at which to install this provider in 275 the JCA provider list. By default, the provider is 276 installed as the lowest priority provider. 277 See java.security.Security.insertProviderAt. 278 279 280 EXAMPLES 281 2821. Sign an APK, in-place, using the one and only key in keystore release.jks: 283$ apksigner sign --ks release.jks app.apk 284 2851. Sign an APK, without overwriting, using the one and only key in keystore 286 release.jks: 287$ apksigner sign --ks release.jks --in app.apk --out app-signed.apk 288 2893. Sign an APK using a private key and certificate stored as individual files: 290$ apksigner sign --key release.pk8 --cert release.x509.pem app.apk 291 2924. Sign an APK using two keys: 293$ apksigner sign --ks release.jks --next-signer --ks magic.jks app.apk 294 2955. Sign an APK using PKCS #11 JCA Provider: 296$ apksigner sign --provider-class sun.security.pkcs11.SunPKCS11 \ 297 --provider-arg token.cfg --ks NONE --ks-type PKCS11 app.apk 298 2996. Sign an APK using a non-ASCII password KeyStore created on English Windows. 300 The --pass-encoding parameter is not needed if apksigner is being run on 301 English Windows with Java 8 or older. 302$ apksigner sign --ks release.jks --pass-encoding ibm437 app.apk 303 3047. Sign an APK on Windows using a non-ASCII password KeyStore created on a 305 modern OSX or Linux machine: 306$ apksigner sign --ks release.jks --pass-encoding utf-8 app.apk 307 3088. Sign an APK with rotated signing certificate: 309$ apksigner sign --ks release.jks --next-signer --ks release2.jks \ 310 --lineage /path/to/signing/history/lineage app.apk 311