A tool that helps signing, zip aligning and verifying multiple Android application packages (APKs) with either debug or provided release certificates (or multiple). It supports v1, v2 and v3 Android signing scheme. Easy and convenient debug signing with embedded debug keystore. Automatically verifies signature and zipalign after every signing.
1java -jar uber-apk-signer.jar --apks /path/to/apks
This should run on any Windows, Mac or Linux machine where Java8+ is installed.
Can be a single apk or a folder containing multiple apks. These are used2 as source for zipalining/signing/verifying. It is also possible to3 provide multiple locations space seperated (can be mixed file folder):4 '/apk /apks2 my.apk'. Folder will be checked non-recursively.5 --allowResign If this flag is set, the tool will not show error on signed apks, but6 will sign them with the new certificate (therefore removing the old7 one).8 --debug Prints additional info for debugging.9 --dryRun Check what apks would be processed without actually doing anything.10-h,--help Prints help docs.11 --ks The keystore file. If this isn't provided, will tryto sign with a debug12 keystore. The debug keystore will be searched in the same dir as13 execution and 'user_home/.android' folder. If it is not found there a14 built-in keystore will be used for convenience. It is possible to pass15 one or multiple keystores. The syntax for multiple params is16 ' = ' for example: '1=keystore.jks'. Must match the17 parameters of --ksAlias.18 --ksAlias The alias of the used key in the keystore. Must be provided if --ks is19 provided. It is possible to pass one or multiple aliases for multiple20 keystore configs. The syntax for multiple params is ' = '21 for example: '1=my-alias'. Must match the parameters of --ks.22 --ksDebug Same as --ks parameter but with a debug keystore. With this option the23 default keystore alias and passwords are used and any arguments relating24 to these parameter are ignored.25 --ksKeyPass The password for the key. If this is not provided, caller will get a26 user prompt to enter it. It is possible to pass one or multiple27 passwords for multiple keystore configs. The syntax for multiple params28 is ' = '. Must match the parameters of --ks.29 --ksPass The password for the keystore. If this is not provided, caller will get30 a user prompt to enter it. It is possible to pass one or multiple31 passwords for multiple keystore configs. The syntax for multiple params32 is ' = '. Must match the parameters of --ks.33-l,--lineage The lineage file for apk signer schema v3 if more then 1 signature is34 used. See here https://bit.ly/2mh6iAC for more info.35-o,--out Where the aligned/signed apks will be copied to. Must be a folder. Will36 create, if it does not exist.37 --overwrite Will overwrite/delete the apks in-place38 --skipZipAlign Skips zipAlign process. Also affects verify.39-v,--version Prints current version.40 --verbose Prints more output, especially useful for sign verify.41 --verifySha256 Provide one or multiple sha256 in string hex representation (ignoring42 case) to let the tool check it against hashes of the APK's certificate43 and use it in the verify process. All given hashes must be present in44 the signature to verify e.g. if 2 hashes are given the apk must have 245 signatures with exact these hashes (providing only one hash, even if it46 matches one cert, will fail).47-y,--onlyVerify If this is passed, the signature and alignment is only verified.48 --zipAlignPath Pass your own zipalign executable. If this is omitted the built-in49 version is used (available for win, mac and linux)
Provide your own out directory for signed apks
1java -jar uber-apk-signer.jar -a /path/to/apks --out /path/to/apks/out
Only verify the signed apks
1java -jar uber-apk-signer.jar -a /path/to/apks --onlyVerify
Sign with your own release keystore
1java -jar uber-apk-signer.jar -a /path/to/apks --ks /path/release.jks --ksAlias my_alias
Provide your own zipalign executable
1java -jar uber-apk-signer.jar -a /path/to/apks --zipAlignPath /sdk/build-tools/24.0.3/zipalign
Provide your own location of your debug keystore
1java -jar uber-apk-signer.jar -a /path/to/apks --ksDebug /path/debug.jks
Sign with your multiple release keystores (see below on how to create a lineage file)
1java -jar uber-apk-signer.jar -a /path/to/apks --lineage /path/sig.lineage --ks 1=/path/release.jks 2=/path/release2.jks --ksAlias 1=my_alias1 2=my_alias2
Use multiple locations or files (will ignore duplicate files)
1java -jar uber-apk-signer.jar -a /path/to/apks /path2 /path3/select1.apk /path3/select2.apk
Provide your sha256 hash to check against the signature:
1java -jar uber-apk-signer.jar -a /path/to/apks --onlyVerify --verifySha256 ab318df27
This application will return
0 if every signing/verifing was successful,
1 if an error happens (e.g. wrong arguments) and
2 if at least 1 sign/verify process was not successful.
If no keystore is provided the tool will try to automatically sign with a debug keystore. It will try to find on in the following locations (descending order):
debug.keystorein the same directory as the jar executable
debug.keystorefound in the
debug.keystorepackaged with the jar executable
A log message will indicate which one was chosen.
Zipalign is a tool developed by Google to optimize zips (apks). It is needed if you want to upload it to the Playstore otherwise it is optional. By default this tool will try to zipalign the apk, therefore it will need the location of the executable. If the path isn't passed in the command line interface, the tool checks if it is in
PATH environment variable, otherwise it will try to use an embedded version of zipalign.
--skipZipAlign is passed no executable is needed.
Android 7.0 introduces APK Signature Scheme v2, a new app-signing scheme that offers faster app install times and more protection against unauthorized alterations to APK files. By default, Android Studio 2.2 and the Android Plugin for Gradle 2.2 sign your app using both APK Signature Scheme v2 and the traditional signing scheme, which uses JAR signing.
APK Signature Scheme v2 is a whole-file signature scheme that increases verification speed and strengthens integrity guarantees by detecting any changes to the protected parts of the APK. The older jarsigning is called v1 schema.
APK Signature Scheme v3 is an extension to v2 which allows a new signature lineage feature for key rotation, which basically means it will be possible to change signature keys.
This tool does not directly support the creation of lineage files as it is considered a task done very rarely. You can create a lineage file with a sequence of certificates with Google's
apksigner rotate and apply it as
-- lineage arguments when signing with multiple keystores:
1apksigner rotate --out sig.lineage \2 --old-signer --ks debug1.keystore --ks-key-alias androiddebugkey \3 --new-signer --ks debug2.keystore --ks-key-alias androiddebugkey45java -jar uber-apk-signer.jar -a /path/to/apks --lineage sig.lineage (...)
The provided JARs in the Github release page are signed with my private key:
1CN=Patrick Favre-Bulle, OU=Private, O=PF Github Open Source, L=Vienna, ST=Vienna, C=AT2Validity: Thu Sep 07 16:40:57 SGT 2017 to: Fri Feb 10 16:40:57 SGT 20343SHA1: 06:DE:F2:C5:F7:BC:0C:11:ED:35:E2:0F:B1:9F:78:99:0F:BE:43:C44SHA256: 2B:65:33:B0:1C:0D:2A:69:4E:2D:53:8F:29:D5:6C:D6:87:AF:06:42:1F:1A:EE:B3:3C:E0:6D:0B:65:A1:AA:88
Use the jarsigner tool (found in your
$JAVA_HOME/bin folder) folder to verify.
Use the Maven wrapper to create a jar including all dependencies
1./mvnw clean install
This project uses my
common-parent which centralized a lot of
the plugin versions aswell as providing the checkstyle config rules. Specifically they are maintained in
checkstyle-config. Locally the files will be copied after you
mvnw install into your
target folder and is called
target/checkstyle-checker.xml. So if you use a plugin for your IDE, use this file as your local configuration.
Copyright 2016 Patrick Favre-Bulle
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.Star
Overview How to Centralize your Checkstyle Configuration with Maven A Better Way to Protect Your IDs Security Best Practices: Symmetric Encryption with AES in Java and Android: Part 2: AES-CBC + HMAC The Bcrypt Protocol… is kind of a mess The Concise Interface Implementation Pattern Improving ProGuard Name Obfuscation Handling Proguard as Library Developer Managing Logging in a Multi-Module Android App Security Best Practices: Symmetric Encryption with AES in Java and Android
Patrick Favre-Bulle 2020