How can I sign my app with "APK Signature Scheme v3 and v4"?

Question

Here in the docs, there is the explanation about signature v3 and v4 : https://source.android.com/security/apksigning/v3

But when I try to sign my app in android studio using Build>Generate signed apk/bundle, I can just check checkboxes for v1(jar signature) and v2(full apk signature) and there is no option for v3 signature.

How can I sign my App using signature scheme v3 and v4?

Thank you.

Answer 1

To manually create the signed build using Command line.

Please find the steps to create v3 and v4 scheme signed build,

1. Select build-tools\30.0.0 or later version.

   Note: You can find the build-tools folder inside the SDK location.

   \Users\AppData\Local\Android\Sdk\build-tools\30.0.0

2. Zipalign - Align the unsigned APK

zipalign -v -p 4 app-production-debug.apk my-app-unsigned-aligned.apk

Note:

app-production-debug.apk - a. Apk file you have created from Android studio by Build-> Build Bundles(s)/APK(s)-> Build APK(s)

my-app-unsigned-aligned.apk - The file will be created in the same directory(You can define your path as well).

3. Apksigner - Sign your APK with your private key

apksigner sign --ks release-keystore.jks --out my-app-release.apk my-app-unsigned-aligned.apk

Note: a. release-keystore.jks - Keystore file we have configured in the build.gradle file

   android {
                signingConfigs {
                        production {
                            storeFile file('release-keystore.jks')
                            storePassword 'XXXX'
                            keyAlias = 'AAAAA'
                            keyPassword 'XXXX'
                        }
                }
            buildTypes {
                        release {
                            ...............
                            signingConfig signingConfigs.production 
               
                        }
            }
        }

b. my-app-release.apk - Signed release build will be generated in the same directory(You can define your path as well).

4. Verify:

apksigner verify --verbose my-app-release.apk

Update to verify v4:

apksigner verify -v -v4-signature-file my-app-release.apk.idsig my-app-release.apk

5. You can see the schemes that verified in the release apk.

   Verifies

   Verified using v1 scheme (JAR signing): true

   Verified using v2 scheme (APK Signature Scheme v2): true

   Verified using v3 scheme (APK Signature Scheme v3): true

   Verified using v4 scheme (APK Signature Scheme v4): true