APK Signer

ENTERPRISE This is a SignServer Enterprise feature.

The signer has the fully qualified class name: org.signserver.module.apk.signer.ApkSigner

Overview

The APK Signer signs Android applications in the Android Package Kit (APK) format and supports all three Android application signing schemes:

  • v1 scheme: based on JAR signing

  • v2 scheme: APK Signature Scheme v2 introduced in Android 7.0.

  • v3 scheme: APK Signature Scheme v3 introduced in Android 9.

The APK Signature Scheme v3 introduces signature lineage to support APK key rotation. Key rotation allows changing the signing certificate when a newer version of an Android app is released. Thus, if the initial version of an android app was signed with a given key, it is now possible to switch to a different key if you need to. Reasons for changing the key could be organizational restructuring or reorganization of your key stores, for example. For more information on Android signing and how to set it up in SignServer, see Setting up Android Signing .

The signer supports RSA and ECDSA keys and integration tests are run with RSA 2048 and ECDSA prime256v1 keys.

Setting the SIGNATUREALGORITHM property will only affect the default algorithm used when generating CSRs for the APK Signer. The signature algorithm used when signing depends on the API level, and the key algorithm and size used.

Available Properties

Property

Description

V1_SIGNATURE

Enable (true) to Include APK version 1 signature. Valid values: true, false, or unset. Default: unset.

V2_SIGNATURE

Enable (true) to Include APK version 2 signature. Valid values: true, false, or unset. Default: unset.

V3_SIGNATURE

Enable (true) to Include APK version 3 signature. Valid values: true, false, or unset. Default: unset.

MIN_SDK_VERSION

Minimum SDK version of APK supported to be signed. Valid values: a positive integer, or unset. Default: unset.

MAX_SDK_VERSION

Maximum SDK version of APK supported to be signed. Valid values: a positive integer, or unset. Default: unset.

DEBUGGABLE_APK_PERMITTED

True if debuggable APK should be allowed to be signed. Valid values: true, or false. Default: false.

LINEAGE_FILE_CONTENT

Base 64-encoded content of a lineage file. Default: unset.

V1_SIGNATURE_NAME

Signature name to use for version 1 signature. If not set, the common name (CN) from the DN will be used or if not existing the whole DN will be used. Default: unset.

OTHER_SIGNERS

Comma-separated list of additional worker names. The certificate and key of the specified signers will be used to create the additional signatures (if specified).
Only allowed for:

  • V1 and V2 signatures (that is, the V3 might need to be disabled)

  • V3 if a lineage file is configured

For more information on Signing with Multiple Signers and Rolling Over to a New Key, see Setting up Android Signing.

ALLOW_V1_SIGNATURE_OVERRIDE

Enable (true) to allow overriding V1_SIGNATURE in the request. Default: false.

ALLOW_V2_SIGNATURE_OVERRIDE

Enable (true) to allow overriding V2_SIGNATURE in the request. Default: false.

ALLOW_V3_SIGNATURE_OVERRIDE

Enable (true) to allow overriding V3_SIGNATURE in the request. Default: false.

ALLOW_MIN_SDK_VERSION_OVERRIDE

Enable (true) to allow overriding MIN_SDK_VERSION in the request. Default: false.

ALLOW_MAX_SDK_VERSION_OVERRIDE

Enable (true) to allow overriding MAX_SDK_VERSION in the request. Default: false.

ALLOW_DEBUGGABLE_APK_PERMITTED_OVERRIDE

Enable (true) to allow overriding DEBUGGABLE_APK_PERMITTED in the request. Default: false.

ALLOW_V1_SIGNATURE_NAME_OVERRIDE

Enable (true) to allow overriding V1_SIGNATURE_NAME in the request. Default: false.

DO_LOGREQUEST_DIGEST

If a digest of the request should be computed and logged. Optional, default: true.

LOGREQUEST_DIGESTALGORITHM

Algorithm used to create the message digest (hash) of the request document to put in the log. Default: SHA256.

DO_LOGRESPONSE_DIGEST

If a digest of the response should be computed and logged. Optional, default: true.

LOGRESPONSE_DIGESTALGORITHM

Algorithm used to create the message digest (hash) of the response document to put in the log. Default: SHA256.

Request Parameters

Property

Description

V1_SIGNATURE

True if version 1 signature should be included when not configured in the worker, false to skip version 1 signature if configured with the worker property.

V2_SIGNATURE

True if version 2 signature should be included when not configured in the worker, false to skip version 2 signature if configured with the worker property.

V3_SIGNATURE

True if version 3 signature should be included when not configured in the worker, false to skip version 3 signature if configured with the worker property.

MIN_SDK_VERSION

Min SDK version to support for the APK to be signed. Overrides the value configured in the worker, if any.

MAX_SDK_VERSION

Max SDK version to support for the APK to be signed. Overrides the value configured in the worker, if any.

DEBUGGABLE_APK_PERMITTED

True or false determining if a debuggable APK is permitted to be signed. Overrides the configured in the worker.

V1_SIGNATURE_NAME

The signature name to use for the version 1 signature(s), if it is enabled. Overrides the value configured in the worker.

Worker Log Fields

Field

Description

REQUEST_DIGEST

A message digest (hash) for the request document in hex encoding.

REQUEST_DIGEST_ALGORITHM

The name of the message digest (hash) algorithm used for the request digest in the log.

RESPONSE_DIGEST

A message digest (hash) for the response document in HEX encoding.

RESPONSE_DIGEST_ALGORITHM

The name of the message digest (hash) algorithm used for the response digest in the log.