Sign Android files with Apksigner using PKCS11 library
Apksigner is a command-line tool provided by the Android SDK (Software Development Kit). It is used to sign and verify Android application packages (APKs).
Follow these instructions to sign directly using Apksigner and securely reference your private key stored in Software Trust Manager. Alternatively, integrate Apksigner with Signing Manager Controller (SMCTL) for simplified signing.
Prerequisites
Windows or Linux operating system
Keypair alias
Sign with Apksigner
To sign an individual APK file using apksigner:
$ANDROID_HOME/build-tools/31.0.0/apksigner sign --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg <your_pkcs11.cfg_file> --ks NONE --ks-type PKCS11 --ks-pass pass:<anything> --ks-key-alias <keypair_alias> --in <unsigned.apk> --out <signed.apk>
Astuce
Multiple signatures may occur for different Android signing versions when you sign with Apksigner. To avoid multiple signatures add the following parameters to your sign command and only enable the version that you want to sign with:
--v1-signing-enabled <true or false> --v2-signing-enabled <true or false> --v3-signing-enabled <true or false> --v4-signing-enabled <true or false>
Sample command:
To sign using only Android version 3:
$ANDROID_HOME/build-tools/31.0.0/apksigner sign --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg <your_pkcs11.cfg_file> --ks NONE --ks-type PKCS11 --ks-pass pass:<anything> --ks-key-alias <keypair_alias> --in <unsigned.apk> --out <signed.apk> --v1-signing-enabled false --v2-signing-enabled false --v3-signing-enabled true --v4-signing-enabled false
Verify signature with Apksigner
To verify the signature on an individual APK file:
$ANDROID_HOME/build-tools/31.0.0/apksigner verify -verbose <signed.apk>