Android APK Signing
This section introduces how to perform system signing for an APK.
Obtaining APK Signing Keys
Retrieve the key from OneDrive.
Tip
The keys can be obtained from the mainboard platform source code path or from the corresponding mainboard platform's network storage.
A133 Android SDK Source Code Key Path:
H618/RK3576 Android SDK Source Code Key Path:
RK3562/RK3568/RK3588 Android SDK Source Code Key Path:
Network Storage Path:
Obtaining the keytool-importkeypair Tool
Network Storage Path:
Creating the Platform Keystore (JKS)
- Place the system signature files and
keytool-importkeypairin the same directory.
- Use
keytoolto generate the JKS file.
keytool-importkeypair usage:
keytool-importkeypair: Missing option, exiting...
usage: keytool-importkeypair [-k keystore] [-p storepass]
-pk8 pk8 -cert cert -alias key_alias
This script is used to import a key/certificate pair
into a Java keystore.
If a keystore is not specified then the key pair is imported into
~/.keystore in the user's home directory.
The passphrase can also be read from stdin.
Operation Example:
./keytool-importkeypair -k ./platform.jks -p android -pk8 platform.pk8 -cert platform.x509.pem -alias android
Note
-k ./platform.jks: Specifies the generated JKS filename as platform.jks
-p android: Specifies the password as android
-pk8 platform.pk8: Specifies the path to the pk8 file
-cert platform.x509.pem: Specifies the path to the pem file
-alias android: Specifies the alias as android
Signing the APK with System Signature
Android Studio Method
- Build -> Generate Signed App, then select to generate a signed APK.
- Select to generate an APK (App Bundle generates an AAB file).
- Select the system JKS file and enter the corresponding alias and password.
apksigner Method
apksigner usage:
USAGE: apksigner <command> [options]
apksigner --version
apksigner --help
EXAMPLE:
apksigner sign --ks release.jks app.apk
apksigner verify --verbose app.apk
apksigner is a tool for signing Android APK files and for checking whether
signatures of APK files will verify on Android devices.
COMMANDS
rotate Add a new signing certificate to the SigningCertificateLineage
sign Sign the provided APK
verify Check whether the provided APK is expected to verify on
Android
lineage Modify the capabilities of one or more signers in an existing
SigningCertificateLineage
version Show this tool's version number and exit
help Show this usage page and exit
Operation Example:
Note
--ks platform.jks: Specifies the path to the JKS file.
--ks-key-alias android: Must match the alias in the JKS.
--out app-signed.apk: Specifies the name for the signed APK.
app-debug.apk: Specifies the path to the APK that needs signing.
Java Method
Re-sign within the source code (ensure the source code has been compiled).
- Configure the Android Java environment.
H618 Platform:
A133 Platform:
RK3562 / RK3568 / RK3576 / RK3588 Platform:
./build.sh lunch
source device/rockchip/.BoardConfig.mk
source build/envsetup.sh
lunch $TARGET_PRODUCT-$BUILD_VARIANT
- Use Java for signing.
Tip
For different platforms, replace the paths for platform.pk8 and platform.x509.pem according to the actual signature file paths.
$ java -Xmx2048m -Djava.library.path="out/host/linux-x86/lib64" \
-jar out/host/linux-x86/framework/signapk.jar --disable-v2 \
-w device/rockchip/common/security/platform.x509.pem \
device/rockchip/common/security/platform.pk8 \
old.apk new.apk
Note
java: Command to start the Java Virtual Machine (JVM).
-Xmx2048m: Sets the maximum JVM heap size to 2048MB (2GB) to avoid out-of-memory errors during signing.
-Djava.library.path="out/host/linux-x86/lib64": Specifies the search path for Java native libraries (libraries written in C/C++), pointing to the host-side (Linux x86 architecture) library directory of the Android build output, ensuring the signing tool can load dependent native libraries.
-jar out/host/linux-x86/framework/signapk.jar: Specifies the execution of the signapk.jar tool (the official tool in the Android source code for APK signing, located in the host-side framework directory of the build output).
--disable-v2: Disables APK Signature Scheme V2 (uses only V1 signing).
V1 is the traditional JAR-based signing (generating signature files in the META-INF directory), which has good compatibility but lower security.
V2 is the full APK signature introduced in Android 7.0+, offering higher security.
Disabling V2 is usually for compatibility with older systems or specific scenarios (e.g., some customized systems have imperfect support for V2 signing).
-w platform.x509.pem: Specifies the public key certificate file (platform.x509.pem), -w indicates verifying the integrity of the certificate chain.
platform.pk8: Specifies the private key file (platform.pk8), paired with the above public key certificate, used for actually signing the APK.
old.apk: The original APK file to be signed (can be unsigned, pre-signed, or signed with another signature).
new.apk: The new APK file generated after signing (save path and filename, will overwrite an existing file with the same name).
Android.mk Method
Add the platform configuration:
Operation Example:
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE := Test
LOCAL_MODULE_CLASS := APPS
LOCAL_MODULE_TAGS := optional
LOCAL_BUILT_MODULE_STEM := package.apk
LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)
LOCAL_CERTIFICATE := platform
LOCAL_SRC_FILES := Test.apk
include $(BUILD_PREBUILT)