Skip to main content

Sign Android files with Apksigner using PKCS11 library

Apksigner is a command-line tool provided by the Android SDK (Software Development Kit). It is used to sign and verify Android application packages (APKs).

Follow these instructions to sign directly using Apksigner and securely reference your private key stored in Software Trust Manager. Alternatively, integrate Apksigner with Signing Manager Controller (SMCTL) for simplified signing.

Prerequisites

Sign with Apksigner

To sign an individual APK file using apksigner:

$ANDROID_HOME/build-tools/31.0.0/apksigner sign --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg <your_pkcs11.cfg_file> --ks NONE --ks-type PKCS11 --ks-pass pass:<anything> --ks-key-alias <keypair_alias> --in <unsigned.apk> --out <signed.apk> 

Tipp

Multiple signatures may occur for different Android signing versions when you sign with Apksigner. To avoid multiple signatures add the following parameters to your sign command and only enable the version that you want to sign with:

--v1-signing-enabled <true or false> --v2-signing-enabled <true or false> --v3-signing-enabled <true or false> --v4-signing-enabled <true or false>

Sample command:

To sign using only Android version 3:

$ANDROID_HOME/build-tools/31.0.0/apksigner sign --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg <your_pkcs11.cfg_file> --ks NONE --ks-type PKCS11 --ks-pass pass:<anything> --ks-key-alias <keypair_alias> --in <unsigned.apk> --out <signed.apk> --v1-signing-enabled false --v2-signing-enabled false --v3-signing-enabled true --v4-signing-enabled false

Verify signature with Apksigner

To verify the signature on an individual APK file:

  $ANDROID_HOME/build-tools/31.0.0/apksigner verify -verbose <signed.apk>