1USAGE: apksigner sign [options] apk 2 3This signs the provided APK, stripping out any pre-existing signatures. Signing 4is performed using one or more signers, each represented by an asymmetric key 5pair and a corresponding certificate. Typically, an APK is signed by just one 6signer. For each signer, you need to provide the signer's private key and 7certificate. 8 9 10 GENERAL OPTIONS 11 12--in Input APK file to sign. This is an alternative to 13 specifying the APK as the very last parameter, after all 14 options. Unless --out is specified, this file will be 15 overwritten with the resulting signed APK. 16 17--out File into which to output the signed APK. By default, the 18 APK is signed in-place, overwriting the input file. 19 20-v, --verbose Verbose output mode 21 22--v1-signing-enabled Whether to enable signing using JAR signing scheme (aka v1 23 signing scheme) used in Android since day one. By default, 24 signing using this scheme is enabled based on min and max 25 SDK version (see --min-sdk-version and --max-sdk-version). 26 27--v2-signing-enabled Whether to enable signing using APK Signature Scheme v2 28 (aka v2 signing scheme) introduced in Android Nougat, 29 API Level 24. By default, signing using this scheme is 30 enabled based on min and max SDK version (see 31 --min-sdk-version and --max-sdk-version). 32 33--v3-signing-enabled Whether to enable signing using APK Signature Scheme v3 34 (aka v3 signing scheme) introduced in Android P, 35 API Level 28. By default, signing using this scheme is 36 enabled based on min and max SDK version (see 37 --min-sdk-version and --max-sdk-version). Multiple 38 signers are not supported when using v3 signing, but 39 multiple signers may be provided in conjunction with the 40 "lineage" option to make sure that the app is signed by 41 an appropriate signer on all supported platform versions. 42 43--min-sdk-version Lowest API Level on which this APK's signatures will be 44 verified. By default, the value from AndroidManifest.xml 45 is used. The higher the value, the stronger security 46 parameters are used when signing. 47 48--max-sdk-version Highest API Level on which this APK's signatures will be 49 verified. By default, the highest possible value is used. 50 51--debuggable-apk-permitted Whether to permit signing android:debuggable="true" 52 APKs. Android disables some of its security protections 53 for such apps. For example, anybody with ADB shell access 54 can execute arbitrary code in the context of a debuggable 55 app and can read/write persistently stored data of the 56 app. It is a good security practice to not sign 57 debuggable APKs with production signing keys, because 58 such APKs puts users at risk once leaked. 59 By default, signing debuggable APKs is permitted, for 60 backward compatibility with older apksigner versions. 61 62--lineage Signing certificate history to use in the event that 63 signing certificates changed for an APK using APK 64 Signature Scheme v3 supported signing certificate 65 rotation. This object may be created by the apksigner 66 "rotate" command. If used, all signers used to sign the 67 APK must be present in the signing lineage, 68 and if v1 or v2 signing is enabled, the first (oldest) 69 entry in the lineage must have a signer provided, so that 70 it can be used for those v1 and/or v2 signing. Multiple 71 signers are not supported when using APK Signature Scheme 72 v3, so multiple signers input will correspond to different 73 points in the lineage and will be used on older platform 74 versions when the newest signer in the lineage is 75 unsupported. 76 An APK previously signed with a SigningCertificateLineage 77 can also be specified; the lineage will then be read from 78 the signed data in the APK. 79 80-h, --help Show help about this command and exit 81 82 83 PER-SIGNER OPTIONS 84These options specify the configuration of a particular signer. To delimit 85options of different signers, use --next-signer. 86 87--next-signer Delimits options of two different signers. There is no 88 need to use this option when only one signer is used. 89 90--v1-signer-name Basename for files comprising the JAR signature scheme 91 (aka v1 scheme) signature of this signer. By default, 92 KeyStore key alias or basename of key file is used. 93 94 PER-SIGNER SIGNING KEY & CERTIFICATE OPTIONS 95There are two ways to provide the signer's private key and certificate: (1) Java 96KeyStore (see --ks), or (2) private key file in PKCS #8 format and certificate 97file in X.509 format (see --key and --cert). 98 99--ks Load private key and certificate chain from the Java 100 KeyStore initialized from the specified file. NONE means 101 no file is needed by KeyStore, which is the case for some 102 PKCS #11 KeyStores. 103 104--ks-key-alias Alias under which the private key and certificate are 105 stored in the KeyStore. This must be specified if the 106 KeyStore contains multiple keys. 107 108--ks-pass KeyStore password (see --ks). The following formats are 109 supported: 110 pass:<password> password provided inline 111 env:<name> password provided in the named 112 environment variable 113 file:<file> password provided in the named 114 file, as a single line 115 stdin password provided on standard input, 116 as a single line 117 A password is required to open a KeyStore. 118 By default, the tool will prompt for password via console 119 or standard input. 120 When the same file (including standard input) is used for 121 providing multiple passwords, the passwords are read from 122 the file one line at a time. Passwords are read in the 123 order in which signers are specified and, within each 124 signer, KeyStore password is read before the key password 125 is read. 126 127--key-pass Password with which the private key is protected. 128 The following formats are supported: 129 pass:<password> password provided inline 130 env:<name> password provided in the named 131 environment variable 132 file:<file> password provided in the named 133 file, as a single line 134 stdin password provided on standard input, 135 as a single line 136 If --key-pass is not specified for a KeyStore key, this 137 tool will attempt to load the key using the KeyStore 138 password and, if that fails, will prompt for key password 139 and attempt to load the key using that password. 140 If --key-pass is not specified for a private key file key, 141 this tool will prompt for key password only if a password 142 is required. 143 When the same file (including standard input) is used for 144 providing multiple passwords, the passwords are read from 145 the file one line at a time. Passwords are read in the 146 order in which signers are specified and, within each 147 signer, KeyStore password is read before the key password 148 is read. 149 150--pass-encoding Additional character encoding (e.g., ibm437 or utf-8) to 151 try for passwords containing non-ASCII characters. 152 KeyStores created by keytool are often encrypted not using 153 the Unicode form of the password but rather using the form 154 produced by encoding the password using the console's 155 character encoding. apksigner by default tries to decrypt 156 using several forms of the password: the Unicode form, the 157 form encoded using the JVM default charset, and, on Java 8 158 and older, the form encoded using the console's charset. 159 On Java 9, apksigner cannot detect the console's charset 160 and may need to be provided with --pass-encoding when a 161 non-ASCII password is used. --pass-encoding may also need 162 to be provided for a KeyStore created by keytool on a 163 different OS or in a different locale. 164 165--ks-type Type/algorithm of KeyStore to use. By default, the default 166 type is used. 167 168--ks-provider-name Name of the JCA Provider from which to request the 169 KeyStore implementation. By default, the highest priority 170 provider is used. See --ks-provider-class for the 171 alternative way to specify a provider. 172 173--ks-provider-class Fully-qualified class name of the JCA Provider from which 174 to request the KeyStore implementation. By default, the 175 provider is chosen based on --ks-provider-name. 176 177--ks-provider-arg Value to pass into the constructor of the JCA Provider 178 class specified by --ks-provider-class. The value is 179 passed into the constructor as java.lang.String. By 180 default, the no-arg provider's constructor is used. 181 182--key Load private key from the specified file. If the key is 183 password-protected, the password will be prompted via 184 standard input unless specified otherwise using 185 --key-pass. The file must be in PKCS #8 DER format. 186 187--cert Load certificate chain from the specified file. The file 188 must be in X.509 PEM or DER format. 189 190 191 JCA PROVIDER INSTALLATION OPTIONS 192These options enable you to install additional Java Crypto Architecture (JCA) 193Providers, such as PKCS #11 providers. Use --next-provider to delimit options of 194different providers. Providers are installed in the order in which they appear 195on the command-line. 196 197--provider-class Fully-qualified class name of the JCA Provider. 198 199--provider-arg Value to pass into the constructor of the JCA Provider 200 class specified by --provider-class. The value is passed 201 into the constructor as java.lang.String. By default, the 202 no-arg provider's constructor is used. 203 204--provider-pos Position / priority at which to install this provider in 205 the JCA provider list. By default, the provider is 206 installed as the lowest priority provider. 207 See java.security.Security.insertProviderAt. 208 209 210 EXAMPLES 211 2121. Sign an APK, in-place, using the one and only key in keystore release.jks: 213$ apksigner sign --ks release.jks app.apk 214 2151. Sign an APK, without overwriting, using the one and only key in keystore 216 release.jks: 217$ apksigner sign --ks release.jks --in app.apk --out app-signed.apk 218 2193. Sign an APK using a private key and certificate stored as individual files: 220$ apksigner sign --key release.pk8 --cert release.x509.pem app.apk 221 2224. Sign an APK using two keys: 223$ apksigner sign --ks release.jks --next-signer --ks magic.jks app.apk 224 2255. Sign an APK using PKCS #11 JCA Provider: 226$ apksigner sign --provider-class sun.security.pkcs11.SunPKCS11 \ 227 --provider-arg token.cfg --ks NONE --ks-type PKCS11 app.apk 228 2296. Sign an APK using a non-ASCII password KeyStore created on English Windows. 230 The --pass-encoding parameter is not needed if apksigner is being run on 231 English Windows with Java 8 or older. 232$ apksigner sign --ks release.jks --pass-encoding ibm437 app.apk 233 2347. Sign an APK on Windows using a non-ASCII password KeyStore created on a 235 modern OSX or Linux machine: 236$ apksigner sign --ks release.jks --pass-encoding utf-8 app.apk 237 2388. Sign an APK with rotated signing certificate: 239$ apksigner sign --ks release.jks --next-signer --ks release2.jks \ 240 --lineage /path/to/signing/history/lineage app.apk 241