How to Sign your Android App Using Appdome's Auto-Dev Private Signing Script

Auto-DEV Private Signing enables you to sign your applications securely and automatically in your environment, keeping sensitive signing credentials such as private keys and digital certificates secure. You can download and run a local signing script provided by Appdome to complete the process on your machine.
You only need to provide the SHA fingerprint of your signing certificate for sealing the app. Once it is sealed, Appdome generates a signing script ( sign.sh) that includes the secured APK file. You can download and run the script locally, providing your keystore file, its password, and the alias of the key to sign the app. The script handles all the necessary steps and produces a fully signed Android app ready for release.
The process is automatable and integrates easily into your CI/CD pipelines. Tools like Jenkins, GitLab CI, and Bitrise can incorporate Auto-DEV Private Signing into Android development workflows, allowing for secure, consistent, and efficient app delivery.

Before You Begin

Ensure the following prerequisites are met:

• You have an Appdome IDEAL or higher account.
• You have an Appdome-DEV access.
• Your SDK Build Tool version must be 35.0.0 or later. This version includes updates to the apksigner utility, including changing the default page alignment from 4KB to 16KB and adding a ZIP alignment extra field. Using an older version may lead to improperly signed APKs, which can prevent your app from installing or updating successfully on newer Android devices.
• Your app is built with Appdome’s features and is ready to be signed.
• The Java version installed in your local environment is identical to or newer than the Java version you’re using to generate your keystore. To check your Java version, run the following command on your terminal: java -version
• If using Appdome’s Auto-DEV Private Signing, you have the following:
  • For Mac OS X or Linux computers:
    • Python software (version 2.7 or higher).
    • keytool executable (part of JRE or JDK, version 1.8 or higher) in the search path.
    • zipalign executable (part of the Android SDK Build Tools, version 35.0.0 or higher) in the search path.
    • apksigner executable (part of the Android  SDK Build Tools, version 28.0.3 or higher) in the search path.
  • For Windows computers (Windows 10 or Windows Server 2019):
    • Windows-Subsystem-Linux (WSL) (WSL installation on Windows Server 2019 / WSL installation on Windows 10).
    • A Linux distribution that supports OpenJDK 8 with an apt package manager (For example, Ubuntu 16.04).
    • Python software (version 2.7 or higher).
• If you’re using Google Play App Signing:
  
  • Your app is configured in Google Play App Signing.
  • You have your SHA certificate fingerprint. To retrieve it:
    1. Log in to Google Play Console.
    2. Select the app.
    3. In the left sidebar, click Setup, then select App signing (or Internal app sharing for internal testing).
    4. Copy the SHA-1 or SHA-256 certificate fingerprint from the relevant field.

1. Generate a Certificate Fingerprint

The fingerprint is a one-way hash of the certificate stored in the Android signing Keystore.

Local signing may fail if the certificate fingerprint you provide doesn’t match the keystore, due to Appdome’s Anti-Tampering protections.
To get the fingerprint, follow these steps:

Step by Step:

1. On your workstation, run:

   keytool -list -v -keystore <path_to_keystore> -storepass <store pass> -alias <alias>

   Alternatively, use this command:

   keytool -printcert -jarfile <apk/aab_file>

   The SHA1 or the SHA256 of the signature will be marked inside the output.  This is a public identifier that can also be extracted from the signed .apk. The output should look like this:

   test-alias, Nov 20, 2017, PrivateKeyEntry, 
   Certificate fingerprint (SHA1):BE:D2:E3:17:9F:20:9A:F9:CF:55:E8:31:21:8C:7E:C7:7F:87:62:26

2. Copy the fingerprint.

2. Seal The App in Appdome

Step by step:

1. Sign in to the Appdome platform.
2. In the upper navigation bar, select Sign.
3. Next to “How Would You Like to Sign?”, select Auto-DEV Private Signing.
4. If signing with Google: Toggle on Use Google Play App Signing, and add your certificate fingerprint to the designated field. Also, if relevant, toggle on Google Play Upgrade Signing Key, and add the upgraded certificate fingerprint to the field. Otherwise, skip to the next step.
5. Next to “Certificate Fingerprint”, paste the fingerprint you copied.
6. Select Auto-DEV Sign Privately.
7. In the pop-up message, select Continue with Private Signing.
8. Optional: Tick the checkbox to save your signing credentials.

Once the sealing is complete, continue to the next step to download your app.

3. Configure Your Environment

For Mac OS or Linux:

Step by Step:

1. Locate your zipalign and apksigner executables on your computer.
2. Add their full location (SDK Built tools) to your environment $PATH variable, for example:

export PATH=$PATH:$ANDROID_HOME/build-tools/29.0.0

For Windows-Subsystem-Linux 

Step by Step:

After you have installed the Linux distribution on your Windows computer, open the WSL console and run the following commands:

sudo apt update sudo dist-upgrade -y && sudo apt update
sudo dist-upgrade -y && sudo apt install -y unzip zipalign lib32z1 openjdk-8-jdk gradle
curl https://dl.google.com/android/repository/sdk-tools-linux-4333796.zip --output/tmp/sdk-tools-linux-4333796.zip
unzip/tmp/sdk-tools-linux-4333796.zip -d ~/Android
export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64
cd Android/tools/bin
./sdkmanager "platform-tools" "platforms;android-29" "build-tools;29.0.0"
export ANDROID_HOME=~/Android
export PATH=$PATH:$JAVA_HOME/bin:$ANDROID_HOME/tools:$ANDROID_HOME/platform-tools:$ANDROID_HOME/build-tools/29.0.0
cd ~
android update sdk --no-ui
gradle -v
adb start-server

4. Run the Auto-DEV Private Script

In some environments, you may be required to grant executable permissions to the signing script (using chmod +x command).

Step by Step:

To run the automatic private signing script, use the following command:

sign.sh --output <path_to_outputfile.apk or path_to_outputfile.aab> --keystore <path_to_keystore> --keystore_pass <keystore password> --key_pass <key password> --keystore_alias <key alias>

Congratulations! You now have a signed app with Appdome’s Auto-DEV private signing script.

Related Articles

• How to Sign Secured iOS Apps Using a local Appdome supplied script
• How to Sign Secured Android Apps Using apksigner
• How to Code Sign Secured iOS Apps in DevSecOps Build System
• How to Sign Secured iOS Apps Using codesign

How Do I Learn More?

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.