How to Sign an Already Compiled Apk

android android-install-apk apk

231,706

Solution 1

create a key using

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

then sign the apk using :

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name

check here for more info

Solution 2

Automated Process:

Use this tool (uses the new apksigner from Google):

https://github.com/patrickfav/uber-apk-signer

^{Disclaimer: Im the developer :)}

Manual Process:

Step 1: Generate Keystore (only once)

You need to generate a keystore once and use it to sign your unsigned apk. Use the keytool provided by the JDK found in %JAVA_HOME%/bin/

keytool -genkey -v -keystore my.keystore -keyalg RSA -keysize 2048 -validity 10000 -alias app

Step 2 or 4: Zipalign

zipalign which is a tool provided by the Android SDK found in e.g. %ANDROID_HOME%/sdk/build-tools/24.0.2/ is a mandatory optimization step if you want to upload the apk to the Play Store.

zipalign -p 4 my.apk my-aligned.apk

Note: when using the old jarsigner you need to zipalign AFTER signing. When using the new apksigner method you do it BEFORE signing (confusing, I know). Invoking zipalign before apksigner works fine because apksigner preserves APK alignment and compression (unlike jarsigner).

You can verify the alignment with

zipalign -c 4 my-aligned.apk

Step 3: Sign & Verify

Using build-tools 24.0.2 and older

Use jarsigner which, like the keytool, comes with the JDK distribution found in %JAVA_HOME%/bin/ and use it like so:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my.keystore my-app.apk my_alias_name

and can be verified with

jarsigner -verify -verbose my_application.apk

Using build-tools 24.0.3 and newer

Android 7.0 introduces APK Signature Scheme v2, a new app-signing scheme that offers faster app install times and more protection against unauthorized alterations to APK files (See here and here for more details). Therefore, Google implemented their own apk signer called apksigner (duh!) The script file can be found in %ANDROID_HOME%/sdk/build-tools/24.0.3/ (the .jar is in the /lib subfolder). Use it like this

apksigner sign --ks-key-alias alias_name --ks my.keystore my-app.apk

and can be verified with

apksigner verify my-app.apk

The official documentation can be found here.

Solution 3

fastest way is by signing with the debug keystore:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore ~/.android/debug.keystore app.apk androiddebugkey -storepass android

or on Windows:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore %USERPROFILE%/.android/debug.keystore test.apk androiddebugkey -storepass android

Solution 4

You use jarsigner to sign APK's. You don't have to sign with the original keystore, just generate a new one. Read up on the details: http://developer.android.com/guide/publishing/app-signing.html

Solution 5

Updated answer

Check https://shatter-box.com/knowledgebase/android-apk-signing-tool-apk-signer/

Old answer

check apk-signer a nice way to sign your app

View more solutions

231,706

Author by

svarog

The criterion of truth is that it works even if nobody is prepared to acknowledge it.

Updated on July 08, 2022

Comments

svarog almost 2 years
I've decoded an APK with apktool (as the original source code was lost) so I could fix some issues with the layout xml files. I've then rebuilt it back up with apktool and when I tried to install it on my device (using adb: adb install appname.apk) it gave me this error:
```
[INSTALL_PARSE_FAILED_NO_CERTIFICATES]
```
the original apk however was signed by a keystore (on eclipse IDE), this one isn't, how can I sign it properly with it's original keystone file outside Eclipse!?
Kyle over 8 years

this should be the answer, 27 upvotes versus 3 to the original answer, come on!
Couitchy over 8 years

if you do this and try to install the APK, you might end up with a INSTALL_FAILED_DUPLICATE_PERMISSION error. This happens when the original APK cannot be overwrited (system or built-in app for instance)
Dr Deo about 8 years

@Couitchy adb shell pm install -r /data/tmp/myapk.apk
jayatubi about 8 years

the link has been broken
Pellet over 7 years

if you dont want to bother creating a key you can use the debug key with: jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore ~/.android/debug.keystore app.apk androiddebugkey -storepass android
shereifhawary over 7 years

most properly because it was an old thread, you can have a look to this one shatter-box.com/knowledgebase/…
Maria Ines Parnisari over 7 years

Is there a difference between using jarsigner and apksigner? One requires signing and then zipaligning and the other zipaligning and then signinig
cantoni over 7 years

Thanks for uber-apk-signer! Great tool!
snuk182 over 7 years

Debug key lives only 1 year since SDK installation, so it is not a good idea to use it for a release.
kinORnirvana about 7 years

For build-tools 24.0.3 correct way to call zipalign is: zipalign -p 4 my.apk my-aligned.apk
antiplex almost 7 years

Thanks for your description! tried uber-apk-signer first but failed probably because I have openJDK installed on my system instead of oracles "official" java. So I tried the manual way and also failed (still same error [INSTALL_PARSE_FAILED_NO_CERTIFICATES]). Verifying with uber-apk-signer gave me some further insight signature VERIFY FAILED [...] ERROR: JAR signer CERT.RSA: JAR signature META-INF/CERT.RSA uses digest algorithm 2.16.840.1.101.3.4.2.1 and signature algorithm 1.2.840.113549.1.1.1 which is not supported on API Levels [[15, 17]]. Yes, android 4.2.2, SHA256 not there? ideas?
Patrick over 6 years

@antiplex please report the issue in github not SO
antiplex over 6 years

@for3st do you mean that my issues may not be due to my limited knowledge around apk-signing but due to some form of incompatibility of uber-apk-signer? but even then the manual way also fails which seems unrelated to your tool...
James Wilkins about 6 years

What is the Difference between Jar signer and Apk signer? stackoverflow.com/questions/44153144/…
James Wilkins about 6 years

For Windows I couldn't find jarsigner but I did find apksigner.bat in the Android Studio sdk folder, which did work great. ;) Perhaps this is the NEW way? Anyhow, the file was in C:\Users\{username}\AppData\Local\Android\Sdk\build-tools\{v‌ersion} for Android Studio and also in C:\Program Files (x86)\Android\android-sdk\build-tools\{version} (or similar path) for Visual Studio 2017 users.
James Wilkins about 6 years

For those looking for the command line tool location, I found it in C:\Users\{username}\AppData\Local\Android\Sdk\build-tools\{v‌ersion} for Android Studio and also in C:\Program Files (x86)\Android\android-sdk\build-tools\{version} (or similar path) for Visual Studio 2017 users.
nmu over 5 years

Would like to nominate this for best answer on Stack overflow
user2513149 over 5 years

zipalign -p 4 my.apk my-aligned.apk says ERROR: unknown flag -p.
Velda almost 4 years

Does not work for me. No certificate is added to APK. Seems like it does nothing. Do not even ask for an alias password.
Velda almost 4 years

Seems like --ks-key-alias is not needed, if there's only key in a keystore.
michael-martinez over 3 years

Thanks a lot, I was looking for how to specify an alias, the documentation was confusing and does not provide clear examples.
user2513149 over 3 years

The following command worked for me: zipalign 4 my.apk my-aligned.apk (without the -p option).
Epic Speedy about 3 years

both links are now deprecated. do not use
Parth Developer over 2 years

getting Error: Only one alias can be specified
Shimmy Weitzhandler over 2 years

There's the error I'm getting when running jarsigner: jarsigner: unable to sign jar: java.util.zip.ZipException: invalid entry compressed size (expected 2025 but got 1897 bytes)