Apksigner is a command-line tool provided by the Android SDK (Software Development Kit). It is used to sign and verify Android application packages (APKs).
Follow these instructions to sign directly using Apksigner and securely reference your private key stored in Software Trust Manager. Alternatively, integrate Apksigner with Signing Manager Controller (SMCTL) for simplified signing.
Windows or Linux operating system
Keypair alias
To sign an individual APK file using apksigner:
$ANDROID_HOME/build-tools/31.0.0/apksigner sign --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg <your_pkcs11.cfg_file> --ks NONE --ks-type PKCS11 --ks-pass pass:<anything> --ks-key-alias <keypair_alias> --in <unsigned.apk> --out <signed.apk>
Tip
Multiple signatures may occur for different Android signing versions when you sign with Apksigner. To avoid multiple signatures add the following parameters to your sign command and only enable the version that you want to sign with:
--v1-signing-enabled <true or false> --v2-signing-enabled <true or false> --v3-signing-enabled <true or false> --v4-signing-enabled <true or false>
Sample command:
To sign using only Android version 3:
$ANDROID_HOME/build-tools/31.0.0/apksigner sign --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg <your_pkcs11.cfg_file> --ks NONE --ks-type PKCS11 --ks-pass pass:<anything> --ks-key-alias <keypair_alias> --in <unsigned.apk> --out <signed.apk> --v1-signing-enabled false --v2-signing-enabled false --v3-signing-enabled true --v4-signing-enabled false
To verify the signature on an individual APK file:
$ANDROID_HOME/build-tools/31.0.0/apksigner verify -verbose <signed.apk>