apksigner
tool, available in revision 24.0.3 and higher of the Android SDK Build Tools, allows you to sign APKs and to confirm that an APK's signature will be verified successfully on all versions of the Android platform supported by those APKs. This page presents a short guide for using the tool and serves as a reference for the different command-line options that the tool supports. For a more complete description of how the apksigner
tool is used for signing your APKs, see the Sign your app guide.apksigner
and make further changes to the APK, the APK's signature is invalidated. Therefore, you must use tools such as zipalign
before signing your APK.apksigner
tool is as follows:apksigner
tool, you must provide the signer's private key and certificate. You can include this information in two different ways:--ks
option. --key
and --cert
options, respectively. The private key file must use the PKCS #8 format, and the certificate file must use the X.509 format. --next-signer
option to separate the set of general options to apply to each signer:apksigner
tool supports.--out <apk-filename>
--min-sdk-version <integer>
apksigner
uses to confirm that the APK's signature will be verified. Higher values allow the tool to use stronger security parameters when signing the app but limit the APK's availability to devices running more recent versions of Android. By default, apksigner
uses the value of the minSdkVersion
attribute from the app's manifest file. --max-sdk-version <integer>
apksigner
uses to confirm that the APK's signature will be verified. By default, the tool uses the highest possible API level. --v1-signing-enabled <true | false>
apksigner
signs the given APK package using the traditional, JAR-based signing scheme. By default, the tool uses the values of --min-sdk-version
and --max-sdk-version
to decide when to apply this signature scheme. --v2-signing-enabled <true | false>
apksigner
signs the given APK package using the APK Signature Scheme v2. By default, the tool uses the values of --min-sdk-version
and --max-sdk-version
to decide when to apply this signature scheme. -v
, --verbose
--next-signer <signer-options>
--v1-signer-name <basename>
apksigner
uses the key alias of the KeyStore or the basename of the key file for this signer. --ks <filename>
'NONE'
, the KeyStore containing the key and certificate doesn't need a file specified, which is the case for some PKCS #11 KeyStores. --ks-key-alias <alias>
--ks-pass <input-format>
apksigner
tool supports the following formats: pass:<password>
– Password provided inline with the rest of the apksigner sign
command. env:<name>
– Password is stored in the given environment variable. file:<filename>
– Password is stored as a single line in the given file. stdin
– Password is provided as a single line in the standard input stream. This is the default behavior for --ks-pass
. apksigner
tool associates passwords with an APK's signers based on the order in which you specify the signers. If you've provided two passwords for a signer, apksigner
interprets the first password as the KeyStore password and the second one as the key password. --pass-encoding <charset>
ibm437
or utf-8
) when trying to handle passwords containing non-ASCII characters. apksigner
tries to decrypt using several forms of the password: the Unicode form, the form encoded using the JVM default charset, and, on Java 8 and older, the form encoded using the console's default charset. On Java 9, apksigner
cannot detect the console's charset. So, you may need to specify --pass-encoding
when a non-ASCII password is used. You may also need to specify this option with keystores that keytool created on a different OS or in a different locale. --key-pass <input-format>
apksigner
tool supports the following formats: pass:<password>
– Password provided inline with the rest of the apksigner sign
command. env:<name>
– Password is stored in the given environment variable. file:<filename>
– Password is stored as a single line in the given file. stdin
– Password is provided as a single line in the standard input stream. This is the default behavior for --key-pass
. apksigner
tool associates passwords with an APK's signers based on the order in which you specify the signers. If you've provided two passwords for a signer, apksigner
interprets the first password as the KeyStore password and the second one as the key password. --ks-type <algorithm>
apksigner
uses the type defined as the keystore.type
constant in the Security properties file. --ks-provider-name <name>
apksigner
uses the highest-priority provider. --ks-provider-class <class-name>
--ks-provider-name
. By default, apksigner
uses the provider specified with the --ks-provider-name
option. --ks-provider-arg <value>
--ks-provider-class
option. By default, apksigner
uses the class's 0-argument constructor. --key <filename>
apksigner
prompts for the password using standard input unless you specify a different kind of input format using the --key-pass
option. --cert <filename>
--print-certs
--min-sdk-version <integer>
apksigner
uses to confirm that the APK's signature will be verified. Higher values allow the tool to use stronger security parameters when signing the app but limit the APK's availability to devices running more recent versions of Android. By default, apksigner
uses the value of the minSdkVersion
attribute from the app's manifest file. --max-sdk-version <integer>
apksigner
uses to confirm that the APK's signature will be verified. By default, the tool uses the highest possible API level. -v
, --verbose
-Werr
release.jks
, which is the only key in the KeyStore: