Sign In
Appdome Logo
How to > DevSecOps Automation in CI/CD > Automated Signing of Secured Mobile Apps > How to Sign Your Android App

How to Sign Your Android App

Last updated June 29, 2025 by Appdome

After development is complete, all Android applications must be digitally signed before they can be published on Google Play or other app stores. A digital signature is a cryptographic mechanism used to confirm the identity of the app’s developer and to ensure the application hasn’t been modified or tampered with without authorization. Apps that are unsigned or improperly signed cannot be installed or executed on the Android platform.
When Appdome’s security features are added to an app (the Build process), the app’s original digital signature is invalidated, requiring the app to be re-signed before it can be deployed to mobile devices. You can re-sign your protected application directly in Appdome, within your own secure environment, or by using Appdome’s Auto-DEV solution—a private signing service designed for secure integration into your development pipeline.
If your app is packaged as an Android App Bundle (AAB) or as an Android Package (APK) created after August 2021, you must use Google Play App Signing—a service provided by Google to manage and protect your app’s signing keys. APKs created before August 2021 may still be signed using either Google Play App Signing or your own upload key and keystore.

Sign Your Application in Appdome

There are two signing options in Appdome. In the standard signing process, you simply upload your keystore file and signing key. Appdome uses them to fully sign the app, and then it can be directly uploaded to the Google Play Store. In this case, Google does not alter the signature afterwards.
When you enable “Use Google Play App Signing”, after you temporarily sign the app with an upload key, Google (or an alternative signing service, such as App Center or Firebase) provides the final app signing, using its secure infrastructure to manage your app’s actual “signing key”.
Once the application is signed in Appdome, you can directly deploy it to the Google Play Store. You can easily publish signed apps to Google Play using Appdome’s auto-deploy feature.

Before You Begin

  • Ensure the following prerequisites are met:
  • Your app is built with Appdome’s features and is ready to be signed.
  • You have the following:
    • Keystore file
      If the app already exists on Google Play, you must use the same keystore and signing key you used to sign previous versions of the app—otherwise, Google will reject the upload.
    • Keystore password
    • Key alias
    • Key password
      Learn how to generate a keystore and an upload key in Android Studio.
    • If you’re using Google Play App Signing:
      • Your app is configured in Google Play App Signing.
      • You have your SHA certificate fingerprint. To retrieve it:
        1. Log in to Google Play Console.
        2. Select the app.
        3. In the left sidebar, click Setup, then select App signing (or Internal app sharing for internal testing).
        4. Copy the SHA-1 or SHA-256 certificate fingerprint from the relevant field.
Step by Step:
  1. Sign in to the Appdome platform.
  2. Select and APK/AAB app you’d like to sign (the app needs to complete the Build process with Appdome for you to be able to sign it)
  3. In the upper navigation bar, select Sign.
  4. Next to “How Would You Like to Sign?”, select On Appdome.
  5. If signing with Google: Toggle on Use Google Play App Signing, and add your certificate fingerprint to the designated field. Also, if relevant, toggle on Google Play Upgrade Signing Key, and add the upgraded certificate fingerprint to the field. Otherwise, skip to the next step.
  6. Upload the keystore file, and then enter the keystore password, key alias, and key password.
  7. Select Sign My App.
  8. Optional: In the pop-up message, select OK to save your signing credentials. Otherwise, select Skip. You can remove the credentials at any time by clicking Remove Signing Credentials.

Appdome will now calculate a checksum of each component of your app’s current state. Once the signing is complete, continue to the next step to deploy your app.

Private Signing

You can sign the app in your trusted environment using private signing, described next.

Before You Begin

Ensure the following prerequisites are met:

  • Your SDK Build Tool version must be 35.0.0 or later. This version includes updates to the apksigner utility, including changing the default page alignment from 4KB to 16KB and adding a ZIP alignment extra field. Using an older version may lead to improperly signed APKs, which can prevent your app from installing or updating successfully on newer Android devices.
  • Your app is built with Appdome’s features and is ready to be signed.
  • The Java version installed in your local environment is identical to or newer than the Java version you’re using to generate your keystore. To check your Java version, run the following command on your terminal: java -version
  • If you’re using Google Play App Signing:
    • Your app is configured in Google Play App Signing.
    • You have your SHA certificate fingerprint. To retrieve it:
      1. Log in to Google Play Console.
      2. Select the app.
      3. In the left sidebar, click Setup, then select App signing (or Internal app sharing for internal testing).
      4. Copy the SHA-1 or SHA-256 certificate fingerprint from the relevant field.

1. Generate a Certificate Fingerprint

The fingerprint is a one-way hash of the certificate stored in the Android signing Keystore.
Local signing of the app may fail if the certificate fingerprint you provide doesn’t match its associated keystore, due to Appdome’s Anti-Tampering protections.
To get the fingerprint, follow these steps:

Step by Step:
  1. On your workstation, run: 

    keytool -list -v -keystore <path_to_keystore> -storepass <store pass> -alias <alias>

    Alternatively, use this command:

    keytool -printcert -jarfile <apk/aab_file>

    The SHA1 or the SHA256 of the signature will be marked inside the output.  This is a public identifier that can also be extracted from the signed .apk. The output should look like this:

    test-alias, Nov 20, 2017, PrivateKeyEntry, 
Certificate fingerprint (SHA1):BE:D2:E3:17:9F:20:9A:F9:CF:55:E8:31:21:8C:7E:C7:7F:87:62:26
  2. Copy the fingerprint.

2. Seal The App in Appdome

Step by step:
  1. Sign in to the Appdome platform.
  2. Select and APK/AAB app you’d like to sign (the app needs to complete the Build process with Appdome for you to be able to seal it)
  3. In the upper navigation bar, select Sign.
  4. Next to “How Would You Like to Sign?”, select Private Signing.
  5. If signing with Google: Toggle on Use Google Play App Signing, and add your certificate fingerprint to the designated field. Also, if relevant, toggle on Google Play Upgrade Signing Key, and add the upgraded certificate fingerprint to the field. Otherwise, skip to the next step.
  6. Next to “Certificate Fingerprint”, paste the fingerprint you copied.
  7. Select Sign Privately.
  8. In the pop-up message, select Continue with Private Signing.
  9. Optional: Tick the checkbox to save your signing credentials.

Once the sealing is complete, continue to download your app. Then, refer to the next phase below.

3. Sign the App Privately

Use the set of instructions below that matches your app type: APK or AAB.

Signing an APK App

Step by Step:

After downloading the built app from Appdome, you can sign the app on your workstation by running:

zipalign -f 4 <path_to_apk> <path_to_apk>-aligned.apk

mv <path_to_apk>-aligned.apk <path_to_apk>
apksigner sign --ks <path_to_keystore> --ks-pass pass:<store pass> --ks-key-alias <alias> --key-pass pass:<key pass> --v2-signing-enabled --v1-signing-enabled <path_to_apk>

After signing, your app is ready to deploy.

Signing an AAB App

Step by Step:

Once you have downloaded the Built app from Appdome, you can sign the app on your workstation by running:

jarsigner <path_to_AAB> -sigalg SHA256withRSA -digestalg SHA-256 -keystore <path_to_keystore> <alias> -storepass <store pass> -keypass <key pass> -signedjar signed_AAB.aab

After signing, your app is ready to deploy.

Auto-DEV Private Signing

Refer to this article  to learn more.

How Do I Learn More?

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Related Articles

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. 

Appdome

Want a Demo?

Automated Signing of Secured Mobile Apps

AlanWe're here to help
We'll get back to you in 24 hours to schedule your demo.