Guides
Talk to Us
Start typing to search…

Signing your Android App

All protected Android apps have to be signed before publishing or being installed onto a test device.

If you used Quick Protection, the app is already signed for test use only.

NOTE DO NOT try to publish a quick-protected app because app stores such as Google Play will not recognize the certificate.

Signing the app has to be the last change made to the app. This is because the signature encapsulates the contents of the app package. Signing the app is the only change you can make to the protected app without breaking it.

There are three steps involved in signing a protected app:

  1. Retrieve your App Signing Key Certificate before protection
  2. Lock the app to your Signing Key with Verimatrix App Protection the first time you protect the app
  3. Sign your protected app with the Signing Key after downloading the protected app

If you have problems with the app after signing it, please see the troubleshooting guide.

Retrieve your App Signing Key Certificate

If your app is a developer signed APK, extract the certificate from your keystore using the command:

keytool -export -keystore <keystore> -rfc -alias <keyalias> -file signing_certificate.pem

If you get a warning "The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using..." execute the recommended command, as shown in the keytool logging, to convert your keystore to the required format.

If your app is a Google signed APK or AAB, download the certificate from the Google Play Console.

Under App Integrity on the Google Play Console there are two certificates:

  • App signing key certificate
  • Upload key certificate

Download the App signing key certificate.

Lock the app to your Signing Key

The first time you protect your Android app with Verimatrix App Protection, you are asked to provide the public key associated with your private signing key - this is called the App Signing Certificate.

The certificate must be given in the DER or PEM format.

The supported Signature Algorithms are:

  • sha1WithRSAEncryption
  • sha256WithRSAEncryption
  • sha384WithRSAEncryption
  • sha512WithRSAEncryption

Providing the App Signing Key Certificate allows Verimatrix to lock the app to your signing key, stopping anyone else from resigning the app and claiming ownership of it. This adds an extra layer of protection on top of the anti-tamper technology that Verimatrix embeds into your app to stop modification of the code and other contents of your app package.

As a security company, Verimatrix does not ask you to provide your private signing key. It is only the public App Signing Key Certificate. This is safe to share with third parties like Verimatrix.

You can change the certificate later in the App Details of your app - you can access this by navigating to Apps and clicking on App Name for your app.

Sign the app

After downloading the protected app, you must sign the app before running or publishing it.

This is the only change you can make to the protected app without breaking it. Do not use other tools on the app like zipalign.

With Android apps, you have three publishing options, each of which has its own signing requirements:

Learn more about Google Signing

Signing a Developer Signed APK

The typical command for signing an APK is

apksigner sign --ks \<path_to_keystore> -ks-key-alias <alias> <app-release-protected>.apk

Signing a Google Play Signed APK

When using Google Play signing there are two different keys that are part of the process:

  • Upload key
  • Signing key

Before uploading to Google Play you must sign the APK with your Upload key. This identifies you as the official developer to Google.

The typical command for signing an APK is

apksigner sign --ks \<path_to_keystore> -ks-key-alias <alias> <app-release-protected>.apk

The APK signed with the Upload key cannot be used for testing the APK. To test the app you must first upload it to Google and then download a signed APK.

Once uploaded, Google signs the APK with the Signing key (known only to Google). Then you can download the signed APK for testing.

Signing a Google Play Signed AAB

When using Google Play signing there are two different keys that are part of the process:

  • Upload key
  • Signing key

Before uploading to Google Play you must sign the AAB with your Upload key. This identifies you as the official developer to Google.

The typical command for signing an AAB is

jarsigner -keystore \<path_to_keystore> -keypass \<key_entry_password> -storepass \<keystore_password> <app-release-protected>.aab \<key_entry> <alias>

Once uploaded to Google Play, Google generates APKs and signs them with the Signing key (known only to Google).

The AAB signed with the Upload key cannot be used for testing the AAB. To test the app you must download the APK signed with the Signing key.

It is not possible to self-generate an APK from the protected AAB.

Updated 3 months ago

What’s Next