1USAGE: apksigner sign [options] apk 2 3This signs the provided APK, stripping out any pre-existing signatures. Signing 4is performed using one or more signers, each represented by an asymmetric key 5pair and a corresponding certificate. Typically, an APK is signed by just one 6signer. For each signer, you need to provide the signer's private key and 7certificate. 8 9 10 GENERAL OPTIONS 11 12--in Input APK file to sign. This is an alternative to 13 specifying the APK as the very last parameter, after all 14 options. Unless --out is specified, this file will be 15 overwritten with the resulting signed APK. 16 17--out File into which to output the signed APK. By default, the 18 APK is signed in-place, overwriting the input file. 19 20-v, --verbose Verbose output mode 21 22--v1-signing-enabled Whether to enable signing using JAR signing scheme (aka v1 23 signing scheme) used in Android since day one. By default, 24 signing using this scheme is enabled based on min and max 25 SDK version (see --min-sdk-version and --max-sdk-version). 26 27--v2-signing-enabled Whether to enable signing using APK Signature Scheme v2 28 (aka v2 signing scheme) introduced in Android Nougat, 29 API Level 24. By default, signing using this scheme is 30 enabled based on min and max SDK version (see 31 --min-sdk-version and --max-sdk-version). 32 33--min-sdk-version Lowest API Level on which this APK's signatures will be 34 verified. By default, the value from AndroidManifest.xml 35 is used. The higher the value, the stronger security 36 parameters are used when signing. 37 38--max-sdk-version Highest API Level on which this APK's signatures will be 39 verified. By default, the highest possible value is used. 40 41--debuggable-apk-permitted Whether to permit signing android:debuggable="true" 42 APKs. Android disables some of its security protections 43 for such apps. For example, anybody with ADB shell access 44 can execute arbitrary code in the context of a debuggable 45 app and can read/write persistently stored data of the 46 app. It is a good security practice to not sign 47 debuggable APKs with production signing keys, because 48 such APKs puts users at risk once leaked. 49 By default, signing debuggable APKs is permitted, for 50 backward compatibility with older apksigner versions. 51 52-h, --help Show help about this command and exit 53 54 55 PER-SIGNER OPTIONS 56These options specify the configuration of a particular signer. To delimit 57options of different signers, use --next-signer. 58 59--next-signer Delimits options of two different signers. There is no 60 need to use this option when only one signer is used. 61 62--v1-signer-name Basename for files comprising the JAR signature scheme 63 (aka v1 scheme) signature of this signer. By default, 64 KeyStore key alias or basename of key file is used. 65 66 PER-SIGNER SIGNING KEY & CERTIFICATE OPTIONS 67There are two ways to provide the signer's private key and certificate: (1) Java 68KeyStore (see --ks), or (2) private key file in PKCS #8 format and certificate 69file in X.509 format (see --key and --cert). 70 71--ks Load private key and certificate chain from the Java 72 KeyStore initialized from the specified file. NONE means 73 no file is needed by KeyStore, which is the case for some 74 PKCS #11 KeyStores. 75 76--ks-key-alias Alias under which the private key and certificate are 77 stored in the KeyStore. This must be specified if the 78 KeyStore contains multiple keys. 79 80--ks-pass KeyStore password (see --ks). The following formats are 81 supported: 82 pass:<password> password provided inline 83 env:<name> password provided in the named 84 environment variable 85 file:<file> password provided in the named 86 file, as a single line 87 stdin password provided on standard input, 88 as a single line 89 A password is required to open a KeyStore. 90 By default, the tool will prompt for password via console 91 or standard input. 92 When the same file (including standard input) is used for 93 providing multiple passwords, the passwords are read from 94 the file one line at a time. Passwords are read in the 95 order in which signers are specified and, within each 96 signer, KeyStore password is read before the key password 97 is read. 98 99--key-pass Password with which the private key is protected. 100 The following formats are supported: 101 pass:<password> password provided inline 102 env:<name> password provided in the named 103 environment variable 104 file:<file> password provided in the named 105 file, as a single line 106 stdin password provided on standard input, 107 as a single line 108 If --key-pass is not specified for a KeyStore key, this 109 tool will attempt to load the key using the KeyStore 110 password and, if that fails, will prompt for key password 111 and attempt to load the key using that password. 112 If --key-pass is not specified for a private key file key, 113 this tool will prompt for key password only if a password 114 is required. 115 When the same file (including standard input) is used for 116 providing multiple passwords, the passwords are read from 117 the file one line at a time. Passwords are read in the 118 order in which signers are specified and, within each 119 signer, KeyStore password is read before the key password 120 is read. 121 122--pass-encoding Additional character encoding (e.g., ibm437 or utf-8) to 123 try for passwords containing non-ASCII characters. 124 KeyStores created by keytool are often encrypted not using 125 the Unicode form of the password but rather using the form 126 produced by encoding the password using the console's 127 character encoding. apksigner by default tries to decrypt 128 using several forms of the password: the Unicode form, the 129 form encoded using the JVM default charset, and, on Java 8 130 and older, the form encoded using the console's charset. 131 On Java 9, apksigner cannot detect the console's charset 132 and may need to be provided with --pass-encoding when a 133 non-ASCII password is used. --pass-encoding may also need 134 to be provided for a KeyStore created by keytool on a 135 different OS or in a different locale. 136 137--ks-type Type/algorithm of KeyStore to use. By default, the default 138 type is used. 139 140--ks-provider-name Name of the JCA Provider from which to request the 141 KeyStore implementation. By default, the highest priority 142 provider is used. See --ks-provider-class for the 143 alternative way to specify a provider. 144 145--ks-provider-class Fully-qualified class name of the JCA Provider from which 146 to request the KeyStore implementation. By default, the 147 provider is chosen based on --ks-provider-name. 148 149--ks-provider-arg Value to pass into the constructor of the JCA Provider 150 class specified by --ks-provider-class. The value is 151 passed into the constructor as java.lang.String. By 152 default, the no-arg provider's constructor is used. 153 154--key Load private key from the specified file. If the key is 155 password-protected, the password will be prompted via 156 standard input unless specified otherwise using 157 --key-pass. The file must be in PKCS #8 DER format. 158 159--cert Load certificate chain from the specified file. The file 160 must be in X.509 PEM or DER format. 161 162 163 JCA PROVIDER INSTALLATION OPTIONS 164These options enable you to install additional Java Crypto Architecture (JCA) 165Providers, such as PKCS #11 providers. Use --next-provider to delimit options of 166different providers. Providers are installed in the order in which they appear 167on the command-line. 168 169--provider-class Fully-qualified class name of the JCA Provider. 170 171--provider-arg Value to pass into the constructor of the JCA Provider 172 class specified by --provider-class. The value is passed 173 into the constructor as java.lang.String. By default, the 174 no-arg provider's constructor is used. 175 176--provider-pos Position / priority at which to install this provider in 177 the JCA provider list. By default, the provider is 178 installed as the lowest priority provider. 179 See java.security.Security.insertProviderAt. 180 181 182 EXAMPLES 183 1841. Sign an APK, in-place, using the one and only key in keystore release.jks: 185$ apksigner sign --ks release.jks app.apk 186 1871. Sign an APK, without overwriting, using the one and only key in keystore 188 release.jks: 189$ apksigner sign --ks release.jks --in app.apk --out app-signed.apk 190 1913. Sign an APK using a private key and certificate stored as individual files: 192$ apksigner sign --key release.pk8 --cert release.x509.pem app.apk 193 1944. Sign an APK using two keys: 195$ apksigner sign --ks release.jks --next-signer --ks magic.jks app.apk 196 1975. Sign an APK using PKCS #11 JCA Provider: 198$ apksigner sign --provider-class sun.security.pkcs11.SunPKCS11 \ 199 --provider-arg token.cfg --ks NONE --ks-type PKCS11 app.apk 200 2016. Sign an APK using a non-ASCII password KeyStore created on English Windows. 202 The --pass-encoding parameter is not needed if apksigner is being run on 203 English Windows with Java 8 or older. 204$ apksigner sign --ks release.jks --pass-encoding ibm437 app.apk 205 2067. Sign an APK on Windows using a non-ASCII password KeyStore created on a 207 modern OSX or Linux machine: 208$ apksigner sign --ks release.jks --pass-encoding utf-8 app.apk 209