how to sign apk with apksigner

3 min read 03-02-2025

Signing your Android APK (Android Package Kit) is crucial before distributing it. Unsigned APKs won't install on Android devices, raising security concerns. This process verifies the APK's authenticity and integrity, ensuring users download legitimate apps. apksigner, a tool included in the Android SDK build-tools, makes signing simple and efficient. This guide will walk you through signing your APK using apksigner.

Prerequisites

Before you begin, ensure you have the following:

Android SDK Build-Tools: You need the Android SDK build-tools installed. This includes apksigner. If you don't have it, download the latest build-tools package through the Android SDK Manager.
Keystore File: This file contains your private and public keys. You'll need this to sign your APK. If you don't have one, you'll need to create one using the keytool command (detailed below). Protect your keystore file; it's essential for app updates.
APK File: The Android application package you wish to sign. This is the compiled .apk file.

Creating a Keystore (If Needed)

If you don't already have a keystore, you'll need to create one using the keytool utility, included in the Java Development Kit (JDK). Open your terminal or command prompt and navigate to your JDK's bin directory. Then, use the following command:

keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-release-key

This command does the following:

keytool -genkey -v: Initiates keystore generation with verbose output.
-keystore my-release-key.jks: Specifies the name and location of the keystore file. Choose a secure location and remember the password.
-keyalg RSA: Sets the key algorithm to RSA (recommended).
-keysize 2048: Sets the key size to 2048 bits (recommended for security).
-validity 10000: Sets the key's validity to 10,000 days (approximately 27 years).
-alias my-release-key: Sets the alias for your key within the keystore.

You'll be prompted to enter a password for the keystore and then for the key itself. Remember these passwords carefully! You'll need them to sign your APK.

Signing Your APK with apksigner

Once you have your keystore, you can sign your APK. Navigate to the directory containing your apksigner and your APK file via the command line. Then use the following command:

apksigner sign --ks my-release-key.jks your-app.apk

Replace the following:

my-release-key.jks: With the path to your keystore file.
your-app.apk: With the path to your unsigned APK file.

You'll be prompted to enter the keystore password and the key password. After successful signing, you'll have a signed APK ready for distribution.

Verifying Your Signature

It's always good practice to verify that your APK is correctly signed. You can do this using the apksigner verify command:

apksigner verify your-app.apk

This command will check the signature and report any issues. A successful verification confirms that your APK is correctly signed and ready for release.

Troubleshooting

Error: Keystore password incorrect: Double-check the password you entered. Case sensitivity matters.
Error: Key password incorrect: Similarly, verify the key password. It might be different from the keystore password.
Error: apksigner not found: Ensure the Android SDK build-tools are correctly installed and added to your system's PATH environment variable.
Error: V1 signature missing: Ensure you are using a compatible version of apksigner and that your keystore is correctly configured.

Best Practices

Store your keystore securely: Treat your keystore file like a password—keep it safe. Losing it means you can't update your app.
Use a strong keystore password: A strong password protects your app and its integrity.
Regularly update your signing tools: Keep your Android SDK build-tools and apksigner updated for security and compatibility.

By following these steps, you can confidently sign your Android APKs using apksigner, ensuring a secure and reliable distribution process for your applications. Remember to keep your keystore safe and use strong passwords. Happy developing!