How To Manually Sign APK’s with keytool Jarsigner & Zipalign

Aditya Chauhan
3 min readMar 28, 2023

As an Android developer, it’s important to know how to manually sign your APKs using keytool, jarsigner, and zipalign. This process is necessary to ensure the authenticity and integrity of your Android applications. In this blog post, I’ll walk you through the steps required to manually sign your APKs, using practical examples to illustrate each step.

What is APK Signing?

APK signing is the process of digitally signing an Android application package (APK) file. This process ensures that the APK has not been tampered with or altered since it was signed. Android requires all APKs to be signed before they can be installed on a device.

Why Sign APKs Manually?

While Android Studio provides a simple way to sign your APKs, there are times when you may need to sign your APKs manually. For example, you may need to sign your APKs with a different key than the one used by Android Studio. Additionally, manual signing allows you to customize the signing process to meet your specific needs.

Prerequisites

Before you can manually sign your APK, you’ll need the following:

  • A Java Development Kit (JDK) installed on your system.
  • An Android KeyStore file (keystore.jks) containing a private key and a corresponding public key certificate. If you don’t have a keystore file, you can create one using the keytool command-line tool.

Step 1: Generate a Keystore File

If you don’t have a keystore file, you can generate one using the keytool command-line tool. The following command will create a new keystore file named mykeystore.jks in the current directory:

keytool -genkeypair -alias myalias -keyalg RSA -keysize 2048 -validity 10000 -keystore mykeystore.jks

This command will prompt you to enter a password for the keystore and the private key. It will also prompt you to enter some additional information, such as your name and organization.

Step 2: Sign the APK with Jarsigner

Once you have your keystore file, you can use the jarsigner command-line tool to sign your APK. The following command will sign an APK named myapp.apk with the private key stored in mykeystore.jks:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore mykeystore.jks myapp.apk myalias

This command will prompt you to enter the password for the keystore and the private key.

Step 3: Optimize the APK with Zipalign

After you’ve signed your APK, you should optimize it using the zipalign command-line tool. This tool ensures that the APK is properly aligned, which improves the performance of the app on the device. The following command will optimize an APK named myapp.apk:

zipalign -v 4 myapp.apk myapp-aligned.apk

This command will create a new APK file named myapp-aligned.apk.

Step 4: Verify the Signature

Once you’ve signed and optimized your APK, you should verify the signature to ensure that it was successful. The following command will verify the signature of an APK named myapp-aligned.apk:

jarsigner -verify -verbose myapp-aligned.apk

This command will display information about the APK’s signature, including the certificate used to sign the APK.

Conclusion

In this blog post, we’ve learned how to manually sign an Android application package (APK) using keytool, jarsigner, and zipalign. By following these steps, you can ensure the authenticity and integrity of your Android applications. Manually signing your APKs gives you greater control over the signing.

--

--

Aditya Chauhan

ISO 27001 LA | VAPT | Synack Red Teamer | HTB Dante | HTB RASTA | HTB Cybernetics | HTB Offshore | HTB APTLabs | Cyber Security Analyst | Security Researcher