How to Sign Secured Android Apps Using apksigner

Android apps must be signed before being installed on mobile devices. Many developers sign within their development and integration platform, but some are required to sign the applications on designated computers to preserve the signing credentials within a trusted environment. This Knowledge Base article summarizes the steps required to either sign apps on Appdome or privately. 

Appdome allows signing an app via the Sign tab using the following methods:

• On Appdome
  Appdome handles the entire signing process. You only need to provide the signing credentials. 
• Private Signing
  You manage the entire signing process.
• Auto-DEV Private Signing
  Sign the app without uploading the signing certificate to Appdome’s cloud service. Appdome provides a script (.sh file) that runs in your trusted environment, using your credentials (certificate and password) as input.

Prerequisites

To use Appdome’s mobile app security build system to sign your apps, you’ll need:

• Appdome account (create a free Appdome account here)
• Appdome-GO access
• A built Mobile App (.ipa for iOS, or .apk or .aab for Android)
• Signing Credentials (see Signing Secure Android apps and Signing Secure iOS apps)

Signing an Android app on Appdome

For an Android signing certificate, you can use the information in these resources to create a self-signed certificate keystore.

• Sign your app with Play App Signing
• Signing Android Apps with Private Keys and Certificates

1. Select Sign on Appdome
2. Add your keystore file.
   For more details on how to generate a keystone file, see Generate an Upload Key and Keystore
3. Enter your keystore password, key alias, and key password
4. Click Sign My App 

How to Privately Sign Secured Android Apps

Prerequisites to Privately Sign Secured or Shielded Android Apps

For an Android signing certificate, you can use the information in these resources on how to create a self-signed certificate Keystore.

• Use Google Play and your Own Keystore
• Signing Android Apps with Private Keys and Certificates

1. Chose Private Signing as the signing method on the Appdome platform
2. Enter the certificate fingerprint.
   Note: The certificate fingerprint is obtained using a Java tool described in the next section. Once you obtain the fingerprint, you can paste it with or without colon (:) separators.
   Note: The hint is the fingerprint of the application’s signing certificate as it was uploaded to Appdome. If you sign before and after Appdome with the same credentials, the hint will suffice.
3. Click the link Private Signing(optional). Mark the checkbox to save the signing method on your fusion set.
   
4. Next, you need to verify your certificate fingerprint and click Continue Private Signing.
   

   

Once Sealing the application is complete, you can download the application and Deploy it.

How to Obtain the Certificate Fingerprint for Appdome Anti-Tampering

The fingerprint is a one-way hash of the certificate stored in the Android signing Keystore.
To get the fingerprint required by Appdome when signing Android Apps off the Appdome platform from your workstation, run:

keytool -list -v -keystore <path_to_keystore> -storepass <store pass> -alias <alias>

Or another method:

keytool -list -printcert -jarfile <path_to_app>

Note: The SHA1 or the SHA256 of the signature is marked inside it.  It is a public identifier that can be extracted from the signed .apk as well.

For example, the output should look like this:

test-alias, Nov 20, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1):BE:D2:E3:17:9F:20:9A:F9:CF:55:E8:31:21:8C:7E:C7:7F:87:62:26

Note: When choosing the option to sign manually, you will need to copy and paste this fingerprint into the certificate fingerprint field on Appdome. 

Important Note:

When signing in your local environment, the Java version installed locally must be identical to or newer than the Java version used when generating your keystore.

To check your Java version, run the following command on your terminal:

java -version

How to Use Appdome-DEV Private Signing Script

You can obtain this private signing script from Appdome. This will allow users to sign apps Built on Appdome without having to upload signing certificates to Appdome.

Signing a Secured Android APK App on your Workstation

Once you have downloaded the Built app from Appdome, you can sign the app on your workstation by running:

zipalign -f 4 <path_to_apk> <path_to_apk>-aligned.apk

mv <path_to_apk>-aligned.apk <path_to_apk>

apksigner sign --ks <path_to_keystore> --ks-pass pass:<store pass> --ks-key-alias <alias> --key-pass pass:<key pass> --v2-signing-enabled --v1-signing-enabled <path_to_apk>

After signing, your app is ready to deploy.

Signing a Secured Android AAB App on your Workstation

Once you have downloaded the Built app from Appdome, you can sign the app on your workstation by running:

jarsigner <path_to_AAB> -sigalg SHA256withRSA -digestalg SHA-256 -keystore <path_to_keystore> <alias> -storepass <store pass> -keypass <key pass> -signedjar signed_AAB.aab

After signing, your app is ready to deploy to the Play Store.

How Do I Learn More?

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Related Articles

• How to Sign Secured iOS Apps Using a local Appdome supplied script
• How to Sign Secured Android Apps Using apksigner
• How to Code Sign Secured iOS Apps in DevSecOps Build System
• How to Sign Secured iOS Apps Using Codesign

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy.