Apk-signer ? Let's Sign Apk files
Android 7.0 introduces APK Signature Scheme v2, a new app-signing scheme that offers faster app install times and more protection against unauthorized alterations to APK files (See here and here for more details). Therefore, Google implemented their own apk signer called apksigner (duh!)The script file can be found in %ANDROID_HOME%/sdk/build-tools/24.0.3/ (the .jar is in the /lib subfolder). Use it like this
apk-signer – Let's sign apk files
Now that we have a keystore, let's sign it to your app. Start by making sure your .apk file is in the same directory as your .keystore file. This makes the process much easier. Let's take a look at the jarsigner command:
As the most basic signing scheme, scheme v1 is based on a manifest file. This manifest file contains the names of the files that compose an APK and a the hash of each file contained in the APK. Signatures are verified using the signature file (META-INF/.SF) and the META-INF/.(RSADSAEC) file. Only if a file's signature is valid, the file is loaded onto the memory. Otherwise, the file doesn't get loaded.
Now, like we did with v2, let's use 010 Editor to see an APK Signing Block. The following screenshot shows the APK Signing Block of an APK. The highlighted part in blue is the sign ID (blockId) which is always set to 0xf05368c0 to indicate that the scheme block is based on scheme v3.
In Modern Android Phones, Un-Signed APK files can be Easily installed. But Older versions of Android does not Support the installation of Unsigned APK files. This is not a common Problem. But for Publishers and Hackers, it can create a lot of problem, because Unsigned APK files give error on Older Android Versions & cannot be EVEN Uploaded on Google Play or Play Store.
Signing the APK is not so Difficult. You have to be Patient, and Comment below if you face any problems or errors. So, I`ve listed THREE Methods below to Sign the APK FILE. Method#1 is Easy but requires 700mb of disc space for installing required files, Method#2 is a bit Difficult but does`nt requires much space, but Method #3 is EASIEST Method of signing the APK File (It can only be done on android) .
Hi,please enter your JDK path at the signer (select the bin folder in it).Please see here -box.com/knowledgebase/android-apk-signing-tool-apk-signer/#create-a-keystore-fileThe number (1) shows the accurate path.
Android apps are signed in the normal manner of .jar files (.apk is really just a special .jar which is just a special .zip) however it may not be trivial to trace the authenticity of the certificates unless you have something known good to compare to. That's basically what the phone itself does - verifies that something that claims to be from the same party as something already on the phone actually is - the phone doesn't refuse to install things with unknown signers, it can only (object to/clear application data of) apparent forgeries when something new doesn't match something old that it claims to.
Install the right Eclipse Java compiler package for your device (the ecj4.6 package if you're running Android 5 or 6), the Android dex tool, and other packages needed to build an Android apk. Generate any Java files needed, compile and dex them, then package everything up into an apk and sign it.
Now let's generate a hashed manifest, just like a Java jar file, and sign the app. If you have your own Java Keystore already, just supply it to apksigner. If not, apksigner will generate a self-signed Keystore file, which we name debug.ks below, which is good enough to sign and install debug apps on your own Android device.
You should see three additional files in the apk, if you list its contents using the command above. At this point, you can install and run the signed app on your own device. If you modify the app, you'll need to build the manifest and sign it again: make sure you use the debug.ks you created before or Android won't allow you to reinstall the same app with a newly generated key, unless you first uninstall the app.
Unfortunately, apksigner only supports Java Keystore files for signing right now and I don't know how to build one from scratch, so if you don't have a keystore and want to release your app to an app store, you'll have to use OpenSSL to sign the app.
You use the JAR Signing and Verification Tool to sign JAR files and time stamp the signature. You invoke the JAR Signing and Verification Tool by using the jarsigner command, so we'll refer to it as "Jarsigner" for short.
This basic form of the command assumes that the keystore to be used is in a file named .keystore in your home directory. It will create signature and signature block files with names x.SF and x.DSA respectively, where x is the first eight letters of the alias, all converted to upper case. This basic command will overwrite the original JAR file with the signed JAR file.
You will be prompted to enter the passwords for both the keystore and your alias. Because this command doesn't make use of the -sigfile option, the .SF and .DSA files it creates would be named JOHNDOE.SF and JOHNDOE.DSA. Because the command doesn't use the -signedjar option, the resulting signed file will overwrite the original version of app.jar.
The signature and signature block files would be named SIG.SF and SIG.DSA, respectively, and the signed JAR file SignedApp.jar would be placed in the current directory. The original unsigned JAR file would remain unchanged. Also, the signature would be time stamped with the TSA's public key certificate identified as testalias.
Android 7.0 introduces APK Signature Scheme v2, a new app-signing scheme that offers faster app install times and more protection against unauthorized alterations to APK files. By default, Android Studio 2.2 and the Android Plugin for Gradle 2.2 sign your app using both APK Signature Scheme v2 and the traditional signing scheme, which uses JAR signing.
This tool does not directly support the creation of lineage files as it is considered a task done very rarely. You can create a lineage file with a sequence of certificates with Google's apksigner rotate and apply it as -- lineage arguments when signing with multiple keystores:
The consequence of this new signing scheme, however, is that there are new constraints on the APK creation process. Since only uncompressed file contents were verified in v1, that allowed for quite a lot of modifications to be made after APK signing - files could be moved around or even recompressed. In fact, the zipalign tool which was part of the build process did exactly that - it was used to align ZIP entries on correct byte boundaries for improved runtime performance.