How to sign a release APK

Share your advanced knowledge/code with the community.
Post Reply
User avatar
William Van Hoecke
Posts: 50
Joined: Tue Oct 22, 2019 12:09 pm

Re: How to sign a release APK

Post by William Van Hoecke »

Nice and very usefull.
fiddled a bit with it to point to the right files.
Its working fine, google play console is accepting my signed app

Well done, thanks
Top
tj1010
Posts: 219
Joined: Wed May 27, 2015 1:36 pm
Contact:
Contact tj1010

Re: How to sign a release APK

Post by tj1010 »

Here is a way to do it with Android SDK too.. Supposedly jarsigner is obsolete with Play Store.

*\openjdk-17.0.0.1+2_windows-x64_bin\bin\keytool.exe
keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias
*\Android\Sdk\build-tools\[version]\zipalign.exe
zipalign -v -p 4 my-app-unsigned.apk my-app-aligned.apk
*\Android\Sdk\build-tools\[version]\apksigner.exe
apksigner sign --ks my-release-key.jks --out my-app-release.apk my-app-aligned.apk
apksigner verify --verbose my-app-release.apk
If you're really in to security you can use hardware TPM or PSP to store the RSA 2048 key pair:
tpm_config.cfg
name = TPMProvider
library = C:\\Path\\To\\tpm2-pkcs11.dll
*\openjdk-17.0.0.1+2_windows-x64_bin\bin\keytool.exe
keytool -J--add-modules=jdk.crypto.cryptoki -genkeypair -v -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg tpm_config.cfg -alias my-tpm-alias -keyalg RSA -keysize 2048 -validity 10000 -dname "CN=My Name, OU=Dev, O=MyCompany, L=City, S=State, C=US"
*\Android\Sdk\build-tools\[version]\zipalign.exe
zipalign -v -p 4 my-app-unsigned.apk my-app-aligned.apk
*\Android\Sdk\build-tools\[version]\apksigner.exe
apksigner sign --ks NONE --ks-type PKCS11 --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg tpm_config.cfg --ks-key-alias my-tpm-key-alias app-release.apk
apksigner verify --verbose my-app-release.apk
For your public key to give to Google for verification of signed .apk
# This command pulls the PUBLIC portion out of the TPM
# and saves it to a file on your desktop.
keytool -J--add-modules=jdk.crypto.cryptoki -exportcert -alias my-tpm-alias -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 \ -providerArg tpm_config.cfg -file upload_public_key.der
Keys stay in PSP or TPM and the hash of the apk is sent in and signed and returned and embedded in meta data for Play Store. BTW this is just the upload key, if you lose the motherboard and cpu it won't matter cause Google does the distribution signing server-side.. You just make new apk with new signing..
Top
Post Reply

Return to “Tricks 'n' Tips”