Skip to main content
Skip table of contents

APK Signer

ENTERPRISE

The signer has the fully qualified class name: org.signserver.module.apk.signer.ApkSigner

Overview

The APK Signer signs Android applications in the Android Package Kit (APK) format and supports all three Android application signing schemes:

  • v1 scheme: based on JAR signing

  • v2 scheme: APK Signature Scheme v2 introduced in Android 7.0.

  • v3 scheme: APK Signature Scheme v3 introduced in Android 9.

The APK Signature Scheme v3 introduces signature lineage to support APK key rotation. Key rotation allows changing the signing certificate when a newer version of an Android app is released. Thus, if the initial version of an android app was signed with a given key, it is now possible to switch to a different key if you need to. Reasons for changing the key could be organizational restructuring or reorganization of your key stores, for example. For more information on Android signing and how to set it up in SignServer, see Setting up Android Signing.

The signer supports RSA and ECDSA keys and integration tests are run with RSA 2048 and ECDSA prime256v1 keys.

Setting the SIGNATUREALGORITHM property will only affect the default algorithm used when generating CSRs for the APK Signer. The signature algorithm used when signing depends on the API level, and the key algorithm and size used.

Available Properties

Property

Default

Description

ALLOW_DEBUGGABLE_APK_PERMITTED_OVERRIDE

False

Enable (true) to allow overriding DEBUGGABLE_APK_PERMITTED in the request.

ALLOW_MAX_SDK_VERSION_OVERRIDE

False

Enable (true) to allow overriding MAX_SDK_VERSION in the request.

ALLOW_MIN_SDK_VERSION_OVERRIDE

False

Enable (true) to allow overriding MIN_SDK_VERSION in the request.

ALLOW_V1_SIGNATURE_NAME_OVERRIDE

False

Enable (true) to allow overriding V1_SIGNATURE_NAME in the request.

ALLOW_V1_SIGNATURE_OVERRIDE

False

Enable (true) to allow overriding V1_SIGNATURE in the request.

ALLOW_V2_SIGNATURE_OVERRIDE

False

Enable (true) to allow overriding V2_SIGNATURE in the request.

ALLOW_V3_SIGNATURE_OVERRIDE

False

Enable (true) to allow overriding V3_SIGNATURE in the request.

DEBUGGABLE_APK_PERMITTED

False

True if debuggable APK should be allowed to be signed. Valid values: true or false.

DO_LOGRESPONSE_DIGEST

True

(Optional) If a digest of the response should be computed and logged.

DO_LOGREQUEST_DIGEST

True

(Optional) If a digest of the request should be computed and logged.

LINEAGE_FILE_CONTENT

Unset

Base 64-encoded content of a lineage file.

LOGRESPONSE_DIGESTALGORITHM 

SHA256

Algorithm used to create the message digest (hash) of the response document to put in the log.

LOGREQUEST_DIGESTALGORITHM

SHA256

Algorithm used to create the message digest (hash) of the request document to put in the log.

MAX_SDK_VERSION

Unset

Maximum SDK version of APK supported to be signed. Valid values: a positive integer, or unset.

MIN_SDK_VERSION

Unset

Minimum SDK version of APK supported to be signed. Valid values: a positive integer, or unset.

OTHER_SIGNERS

None

Comma-separated list of additional worker names. The certificate and key of the specified signers will be used to create the additional signatures (if specified).
Only allowed for:

  • V1 and V2 signatures (that is, the V3 might need to be disabled)

  • V3 if a lineage file is configured

For more information on Signing with Multiple Signers and Rolling Over to a New Key, see Setting up Android Signing.

V1_SIGNATURE

Unset

Enable (true) to Include APK version 1 signature. Valid values: true, false, or unset.

V1_SIGNATURE_NAME

Unset

Signature name to use for version 1 signature. If not set, the common name (CN) from the DN will be used or, if not existing, the whole DN will be used.

V2_SIGNATURE

Unset

Enable (true) to Include APK version 2 signature. Valid values: true, false, or unset.

V3_SIGNATURE

Unset

Enable (true) to Include APK version 3 signature. Valid values: true, false, or unset.

Request Parameters

Property

Description

DEBUGGABLE_APK_PERMITTED

True or false determining if a debuggable APK is permitted to be signed. Overrides the configured in the worker.

MAX_SDK_VERSION

Max SDK version to support for the APK to be signed. Overrides the value configured in the worker, if any.

MIN_SDK_VERSION

Min SDK version to support for the APK to be signed. Overrides the value configured in the worker, if any.

V1_SIGNATURE

True if version 1 signature should be included when not configured in the worker, false to skip version 1 signature if configured with the worker property.

V1_SIGNATURE_NAME

The signature name to use for the version 1 signature(s), if it is enabled. Overrides the value configured in the worker.

V2_SIGNATURE

True if version 2 signature should be included when not configured in the worker, false to skip version 2 signature if configured with the worker property.

V3_SIGNATURE

True if version 3 signature should be included when not configured in the worker, false to skip version 3 signature if configured with the worker property.

Worker Log Fields

Field

Description

REQUEST_DIGEST 

A message digest (hash) for the request document in hex encoding.

REQUEST_DIGEST_ALGORITHM 

The name of the message digest (hash) algorithm used for the request digest in the log.

RESPONSE_DIGEST 

A message digest (hash) for the response document in HEX encoding.

RESPONSE_DIGEST_ALGORITHM 

The name of the message digest (hash) algorithm used for the response digest in the log.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close