APK Hash Signer

ENTERPRISE  This is a SignServer Enterprise feature.

The APK Hash signer has the fully qualified class name: org.signserver.module.apk.signer.ApkHashSigner


The APK Hash Signer can sign hashed data for Client-Side Hashing and construction of signed Android Package Kit (APK) files. For more information on Android signing and how to set it up in SignServer, see Setting up Android Signing.

The signer supports the following types of requests:

  • Pre-request with an empty body: The result is a pre-response with information containing the signer certificate chain and the following signers. For more information, see Pre-response Format.
  • Signing request with a non-empty body: The result is a plain signature, as when using the Plain SIgner.

Available Properties


Property specifying the algorithm used to sign the data. The default value depends on the signing key: NONEwithDSA for DSA keys, NONEwithECDSA for ECDSA keys, otherwise NONEwithRSA.

The algorithms NONEwithRSA and NONEwithECDSA are also supported and should be used when hash digest is supplied for signing not the data itself. When using the NONEwithRSA algorithm, the input format should be specified according to RFC#3447. When using SignClient with client-side hashing and construction, the signer should use an RSA or ECDSA key and use NONEwithRSA, or NONEwithECDSA (the default if not configured). Optional.


Specifies the algorithm used to create the message digest (hash) of the request document to put in the log. Default: SHA256. Optional.

DO_LOGREQUEST_DIGESTSpecifies if the message digest of the requested document should be put in the log. Default: true. Optional.

When requesting a pre-response (by sending a request with an empty request body), specify the signers whose names and certificate chains to include in the response. Optional.


The base 64-encoded content of a lineage file to include. Optional.

Worker Log Fields

REQUEST_DIGESTA message digest (hash) for the request document in HEX encoding.
REQUEST_DIGEST_ALGORITHMThe name of the message digest (hash) algorithm used for the request digest in the log.
RESPONSE_ENCODEDThe response document (plain signature) in base64 encoding.

Pre-response Format

The pre-response is encoded using key/value pairs (KEY=Value), in the same manner as used in Java properties files.



Semicolon-separated base 64-encoded certificates of the signer's own signer certificate chain.


Number of other signers whose names and certificates are to be included in the response.
LINEAGE_FILE_CONTENTThe base 64-encoded content of the lineage file, when one is configured with the corresponding worker property LINEAGE_FILE_CONTENT.
OTHER_SIGNER_n.NAMEName of other signer with index n. Index is 0-based.
OTHER_SIGNER_n.CERTIFICATE_CHAINCertificate chain of other signer with index n. Index is 0-based. Certificate chain uses the same encoding as for SIGNER_CERTIFICATE_CHAIN.