How to Sign Secured Android Apps Using apksigner
Android apps must be signed before being installed on mobile devices. Many developers sign within their development and integration platform, but some are required to sign the applications on designated computers to preserve the signing credentials within a trusted environment. This Knowledge Base article summarizes the steps required to either sign apps on Appdome or privately.
Appdome allows signing an app via the Sign tab using the following methods:
- On Appdome
Appdome handles the entire signing process. You only need to provide the signing credentials. - Private Signing
You manage the entire signing process. - Auto-DEV Private Signing
You can sign your app without uploading the signing certificate to Appdome’s cloud service. Instead, Appdome provides a script (.sh file) that runs in your trusted environment, using your credentials (certificate and password) as input. - Use Google Play App Signing
This feature allows the dedicated application to be signed via Google Play, App Center, Firebase, and other signing services.
Prerequisites
To use Appdome’s mobile app security build system to sign your apps, you’ll need:
- Appdome account (create a free Appdome account here)
- Appdome-GO access
- A built Mobile App (.ipa for iOS, or .apk or .aab for Android)
- Signing Credentials (see Signing Secure Android apps and Signing Secure iOS apps)
Signing an Android app on Appdome
For an Android signing certificate, you can use the information in these resources to create a self-signed certificate keystore.
- Select Sign on Appdome
- Add your keystore file.
For more details on how to generate a keystore file, see Generate an Upload Key and Keystore - Enter your keystore password, key alias, and key password
- Click Sign My App
Optional: Save or Remove Signing Credentials
Appdome allows saving signing credentials to streamline future signing processes.
Additionally, if the signing credentials are no longer needed or need to be updated, they can be removed directly from the Sign Tab by clicking the Remove Signing Credentials button.
When you click Sign My App, Appdome analyzes the fused app’s components and calculates a checksum that represents the exact state of each component within the app. Embedding the checksum combined with your signing credentials into the app’s components will ensure that the app can’t be modified or tampered with once the signing is complete.
To learn more about Appdome’s Checksum Validation, see our Running a Checksum Validation of Android & iOS Apps knowledge base article.
How to Privately Sign Secured Android Apps
Prerequisites to Privately Sign Secured or Shielded Android Apps
For an Android signing certificate, you can use the information in these resources on how to create a self-signed certificate Keystore.
- Chose Private Signing as the signing method on the Appdome platform
- Enter the certificate fingerprint.
Note: The certificate fingerprint is obtained using a Java tool described in the next section. Once you obtain the fingerprint, you can paste it with or without colon (:) separators.
Note: The hint is the fingerprint of the application’s signing certificate as it was uploaded to Appdome. If you sign before and after Appdome with the same credentials, the hint will suffice. - Click the link Private Signing(optional). Then mark the checkbox to save the signing method on your fusion set.
- Next, you need to verify your certificate fingerprint and click Continue Private Signing.
Once you have sealed the application, you can download it and deploy it.
How to Obtain the Certificate Fingerprint for Appdome
The fingerprint is a one-way hash of the certificate stored in the Android signing Keystore.
To get the fingerprint required by Appdome when signing Android Apps off the Appdome platform from your workstation, run:
keytool -list -v -keystore <path_to_keystore> -storepass <store pass> -alias <alias>
Or another method:
keytool -printcert -jarfile <apk/aab_file>
Note: The SHA1 or the SHA256 of the signature is marked inside it. This is a public identifier that can also be extracted from the signed .apk as well.
For example, the output should look like this:
test-alias, Nov 20, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1):BE:D2:E3:17:9F:20:9A:F9:CF:55:E8:31:21:8C:7E:C7:7F:87:62:26
Note: When choosing the option to sign manually, you will need to copy and paste this fingerprint into the certificate fingerprint field on Appdome.
Important Note:
When signing in your local environment, the Java version installed locally must be identical to or newer than the Java version used when generating your keystore.
To check your Java version, run the following command on your terminal:
java -version
How to Use Appdome-DEV Private Signing Script
You can obtain this private signing script from Appdome. This will allow users to sign apps Built on Appdome without having to upload signing certificates to Appdome.
Signing a Secured Android APK App on your Workstation
Once you have downloaded the Built app from Appdome, you can sign the app on your workstation by running:
zipalign -f 4 <path_to_apk> <path_to_apk>-aligned.apk
mv <path_to_apk>-aligned.apk <path_to_apk>
apksigner sign --ks <path_to_keystore> --ks-pass pass:<store pass> --ks-key-alias <alias> --key-pass pass:<key pass> --v2-signing-enabled --v1-signing-enabled <path_to_apk>
After signing, your app is ready to deploy.
Signing a Secured Android AAB App on your Workstation
Once you have downloaded the Built app from Appdome, you can sign the app on your workstation by running:
jarsigner <path_to_AAB> -sigalg SHA256withRSA -digestalg SHA-256 -keystore <path_to_keystore> <alias> -storepass <store pass> -keypass <key pass> -signedjar signed_AAB.aab
After signing, your app is ready to deploy to the Play Store.
How Do I Learn More?
If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.
Related Articles
- How to Sign Secured iOS Apps Using a local Appdome supplied script
- How to Sign Secured Android Apps Using apksigner
- How to Code Sign Secured iOS Apps in DevSecOps Build System
- How to Sign Secured iOS Apps Using Codesign
Thank you!
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy.
