APK Signer

ENTERPRISE  This is a SignServer Enterprise feature.

The signer has the fully qualified class name: org.signserver.module.apk.signer.ApkSigner

Overview

The APK Signer signs Android applications in the Android Package Kit (APK) format and supports all three Android application signing schemes:

  • v1 scheme: based on JAR signing
  • v2 scheme: APK Signature Scheme v2 introduced in Android 7.0.
  • v3 scheme: APK Signature Scheme v3 introduced in Android 9.

The APK Signature Scheme v3 introduces signature lineage to support APK key rotation. Key rotation allows changing the signing certificate when a newer version of an Android app is released. Thus, if the initial version of an android app was signed with a given key, it is now possible to switch to a different key if you need to. Reasons for changing the key could be organizational restructuring or reorganization of your key stores, for example. For more information on Android signing and how to set it up in SignServer, see Setting up Android Signing.

The signer supports RSA and ECDSA keys and integration tests are run with RSA 2048 and ECDSA prime256v1 keys.

Setting the SIGNATUREALGORITHM property will only affect the default algorithm used when generating CSRs for the APK Signer. The signature algorithm used when signing depends on the API level, and the key algorithm and size used.

Available Properties

PropertyDescription
V1_SIGNATUREEnable (true) to Include APK version 1 signature. Valid values: true, false, or unset. Default: unset.
V2_SIGNATUREEnable (true) to Include APK version 2 signature. Valid values: true, false, or unset. Default: unset.
V3_SIGNATUREEnable (true) to Include APK version 3 signature. Valid values: true, false, or unset. Default: unset.
MIN_SDK_VERSIONMinimum SDK version of APK supported to be signed. Valid values: a positive integer, or unset. Default: unset.
MAX_SDK_VERSIONMaximum SDK version of APK supported to be signed. Valid values: a positive integer, or unset. Default: unset.
DEBUGGABLE_APK_PERMITTEDTrue if debuggable APK should be allowed to be signed. Valid values: true, or false. Default: false.
LINEAGE_FILE_CONTENTBase 64-encoded content of a lineage file. Default: unset.
V1_SIGNATURE_NAMESignature name to use for version 1 signature. If not set, the common name (CN) from the DN will be used or if not existing the whole DN will be used. Default: unset.
OTHER_SIGNERS

Comma-separated list of additional worker names. The certificate and key of the specified signers will be used to create the additional signatures (if specified).
Only allowed for:

  • V1 and V2 signatures (that is, the V3 might need to be disabled)
  • V3 if a lineage file is configured

For more information on Signing with Multiple Signers and Rolling Over to a New Key, see Setting up Android Signing.

ALLOW_V1_SIGNATURE_OVERRIDEEnable (true) to allow overriding V1_SIGNATURE in the request. Default: false.
ALLOW_V2_SIGNATURE_OVERRIDEEnable (true) to allow overriding V2_SIGNATURE in the request. Default: false.
ALLOW_V3_SIGNATURE_OVERRIDEEnable (true) to allow overriding V3_SIGNATURE in the request. Default: false.
ALLOW_MIN_SDK_VERSION_OVERRIDEEnable (true) to allow overriding MIN_SDK_VERSION in the request. Default: false.
ALLOW_MAX_SDK_VERSION_OVERRIDEEnable (true) to allow overriding MAX_SDK_VERSION in the request. Default: false.
ALLOW_DEBUGGABLE_APK_PERMITTED_OVERRIDEEnable (true) to allow overriding DEBUGGABLE_APK_PERMITTED in the request. Default: false.
ALLOW_V1_SIGNATURE_NAME_OVERRIDEEnable (true) to allow overriding V1_SIGNATURE_NAME in the request. Default: false.
DO_LOGREQUEST_DIGESTIf a digest of the request should be computed and logged. Optional, default: true.
LOGREQUEST_DIGESTALGORITHMAlgorithm used to create the message digest (hash) of the request document to put in the log. Default: SHA256.
DO_LOGRESPONSE_DIGESTIf a digest of the response should be computed and logged. Optional, default: true.
LOGRESPONSE_DIGESTALGORITHM Algorithm used to create the message digest (hash) of the response document to put in the log. Default: SHA256.

Request Parameters

PropertyDescription
V1_SIGNATURETrue if version 1 signature should be included when not configured in the worker, false to skip version 1 signature if configured with the worker property.
V2_SIGNATURETrue if version 2 signature should be included when not configured in the worker, false to skip version 2 signature if configured with the worker property.
V3_SIGNATURETrue if version 3 signature should be included when not configured in the worker, false to skip version 3 signature if configured with the worker property.
MIN_SDK_VERSIONMin SDK version to support for the APK to be signed. Overrides the value configured in the worker, if any.
MAX_SDK_VERSIONMax SDK version to support for the APK to be signed. Overrides the value configured in the worker, if any.
DEBUGGABLE_APK_PERMITTEDTrue or false determining if a debuggable APK is permitted to be signed. Overrides the configured in the worker.
V1_SIGNATURE_NAMEThe signature name to use for the version 1 signature(s), if it is enabled. Overrides the value configured in the worker.

Worker Log Fields

FieldDescription
REQUEST_DIGEST A message digest (hash) for the request document in hex encoding.
REQUEST_DIGEST_ALGORITHM The name of the message digest (hash) algorithm used for the request digest in the log.
RESPONSE_DIGEST A message digest (hash) for the response document in HEX encoding.
RESPONSE_DIGEST_ALGORITHM The name of the message digest (hash) algorithm used for the response digest in the log.