How to Sign Secured Android Apps Using apksigner

Last updated December 5, 2024 by Appdome

Android apps must be signed before being installed on mobile devices. Many developers sign within their development and integration platform, but some are required to sign the applications on designated computers to preserve the signing credentials within a trusted environment. This Knowledge Base article summarizes the steps required to either sign apps on Appdome or privately. 

Appdome allows signing an app via the Sign tab using the following methods:

  • On Appdome
    Appdome handles the entire signing process. You only need to provide the signing credentials. 
  • Private Signing
    You manage the entire signing process.
  • Auto-DEV Private Signing
    Sign the app without uploading the signing certificate to Appdome’s cloud service. Appdome provides a script (.sh file) that runs in your trusted environment, using your credentials (certificate and password) as input.
  • Use Google Play App Signing
    This feature allows the dedicated application to be signed via Google Play, App Center, Firebase, and other signing services.

Prerequisites

To use Appdome’s mobile app security build system to sign your apps, you’ll need:

Signing an Android app on Appdome

For an Android signing certificate, you can use the information in these resources to create a self-signed certificate keystore.

  1. Select Sign on Appdome
  2. Add your keystore file.
    For more details on how to generate a keystore file, see Generate an Upload Key and Keystore
  3. Enter your keystore password, key alias, and key password
  4. Click Sign My App 

Sign My Android App

How to Privately Sign Secured Android Apps

Prerequisites to Privately Sign Secured or Shielded Android Apps

For an Android signing certificate, you can use the information in these resources on how to create a self-signed certificate Keystore.

  1. Chose Private Signing as the signing method on the Appdome platform
  2. Enter the certificate fingerprint.
    Note: The certificate fingerprint is obtained using a Java tool described in the next section. Once you obtain the fingerprint, you can paste it with or without colon (:) separators.
    Note:
    The hint is the fingerprint of the application’s signing certificate as it was uploaded to Appdome. If you sign before and after Appdome with the same credentials, the hint will suffice.
  3. Click the link Private Signing(optional). Mark the checkbox to save the signing method on your fusion set.
    Private Signing
  4. Next, you need to verify your certificate fingerprint and click Continue Private Signing.

    Continue Private Signing

Once Sealing the application is complete, you can download the application and Deploy it.

Seal Complete

How to Obtain the Certificate Fingerprint for Appdome 

The fingerprint is a one-way hash of the certificate stored in the Android signing Keystore.
To get the fingerprint required by Appdome when signing Android Apps off the Appdome platform from your workstation, run:

keytool -list -v -keystore <path_to_keystore> -storepass <store pass> -alias <alias>

Or another method:

keytool -printcert -jarfile <apk/aab_file>

Note: The SHA1 or the SHA256 of the signature is marked inside it.  It is a public identifier that can be extracted from the signed .apk as well.

For example, the output should look like this:

test-alias, Nov 20, 2017, PrivateKeyEntry, 
Certificate fingerprint (SHA1):BE:D2:E3:17:9F:20:9A:F9:CF:55:E8:31:21:8C:7E:C7:7F:87:62:26

Note: When choosing the option to sign manually, you will need to copy and paste this fingerprint into the certificate fingerprint field on Appdome. 

Important Note:

When signing in your local environment, the Java version installed locally must be identical to or newer than the Java version used when generating your keystore.

To check your Java version, run the following command on your terminal:

java -version

How to Use Appdome-DEV Private Signing Script

You can obtain this private signing script from Appdome. This will allow users to sign apps Built on Appdome without having to upload signing certificates to Appdome.

Signing a Secured Android APK App on your Workstation

Once you have downloaded the Built app from Appdome, you can sign the app on your workstation by running:

zipalign -f 4 <path_to_apk> <path_to_apk>-aligned.apk
mv <path_to_apk>-aligned.apk <path_to_apk>
apksigner sign --ks <path_to_keystore> --ks-pass pass:<store pass> --ks-key-alias <alias> --key-pass pass:<key pass> --v2-signing-enabled --v1-signing-enabled <path_to_apk>

After signing, your app is ready to deploy.

Signing a Secured Android AAB App on your Workstation

Once you have downloaded the Built app from Appdome, you can sign the app on your workstation by running:

jarsigner <path_to_AAB> -sigalg SHA256withRSA -digestalg SHA-256 -keystore <path_to_keystore> <alias> -storepass <store pass> -keypass <key pass> -signedjar signed_AAB.aab

After signing, your app is ready to deploy to the Play Store.

How Do I Learn More?

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Related Articles

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. 

Appdome

Want a Demo?

Automated Signing of Secured Mobile Apps

TomWe're here to help
We'll get back to you in 24 hours to schedule your demo.