Skip to content

App Signing

This chapter describes how to apply system signing to an application in the Android system.

Obtaining APK Signing Keys

Tip

The keys can be obtained from the SDK path of the board platform, or from the cloud storage link for the specific board model.

Model SoC SDK Key Path Cloud Storage
K5 / K5C A133 a133-android10.0 android/build/target/product/security/ Download
K2B / K2C H618 h618-android12.0 build/target/product/security/ Download
K10B A733 a733-android13.0 build/target/product/security/ Download
K1 MINI / K3 / K8 / K8D / K11C / TX66 RK356x-RK3588 rk-android13.0 device/rockchip/common/security/ Download
K1 MINI / K3B / K8D / K11C RK356x-RK3588 rk-android14.0 build/target/product/security/ Download
K7 / K7C / K7S_K7F RK3576 rk3576-android14.0 build/target/product/security/ Download
K9 T527 t527-android13.0 build/target/product/security/ Download

Creating a JKS Keystore

1. Place the system signature files and keytool-importkeypair in the same directory.

mkdir sign_key/
ls sign_key/
platform.pk8    platform.x509.pem    keytool-importkeypair

2. Use keytool-importkeypair to generate the JKS file.

keytool-importkeypair usage:

keytool-importkeypair: Missing option, exiting...
usage: keytool-importkeypair [-k keystore] [-p storepass]
-pk8 pk8 -cert cert -alias key_alias

This script is used to import a key/certificate pair
into a Java keystore.

If a keystore is not specified then the key pair is imported into
~/.keystore in the user's home directory.

The passphrase can also be read from stdin.

Example:

./keytool-importkeypair -k ./platform.jks -p android -pk8 platform.pk8 -cert platform.x509.pem -alias android

Note

-k ./platform.jks – Specifies the output JKS filename as platform.jks
-p android – Sets the password to android
-pk8 platform.pk8 – Specifies the path to the PK8 private key file
-cert platform.x509.pem – Specifies the path to the PEM certificate file
-alias android – Sets the alias to android

Signing an APK with System Signature

Via Android Studio

1. Go to Build → Generate Signed App / Bundle and select Generate Signed APK.

image-20250603141117161

2. Select APK (selecting App Bundle generates an .aab file).

image-20250603141754390

3. Select the system JKS keystore and enter the corresponding alias and passwords.

image-20250603142034270

Via apksigner

apksigner usage:

USAGE: apksigner <command> [options]
       apksigner --version
       apksigner --help

EXAMPLE:
       apksigner sign --ks release.jks app.apk
       apksigner verify --verbose app.apk

apksigner is a tool for signing Android APK files and for checking whether
signatures of APK files will verify on Android devices.

        COMMANDS
rotate                Add a new signing certificate to the SigningCertificateLineage

sign                  Sign the provided APK

verify                Check whether the provided APK is expected to verify on
                      Android

lineage               Modify the capabilities of one or more signers in an existing
                      SigningCertificateLineage

version               Show this tool's version number and exit

help                  Show this usage page and exit

Example:

apksigner sign --ks platform.jks --ks-key-alias android --out app-signed.apk app-debug.apk

Note

--ks platform.jks – Specifies the path to the JKS keystore.
--ks-key-alias android – Must match the alias in the JKS keystore.
--out app-signed.apk – Specifies the output filename for the signed APK.
app-debug.apk – Specifies the path to the APK to be signed.

Via Java Command Line

Re‑sign the APK in the source tree (ensure the source has been built).

1. Set up the Android Java environment.

// H618
source build/envsetup.sh && source device/softwinner/.BoardConfig.mk && lunch apollo_p2-userdebug

// A133
source build/envsetup.sh && lunch ceres_c3-userdebug

// A733
source build/envsetup.sh && lunch a733_demo_aiot_arm64-userdebug

// RK3562 / RK3568 / RK3576 / RK3588
./build.sh lunch && source device/rockchip/.BoardConfig.mk && source build/envsetup.sh && lunch \$TARGET_PRODUCT-\$BUILD_VARIANT

// T527
source build/envsetup.sh && lunch t527_demo_arm64-userdebug

2. Sign the APK using the Java command.

Tip

Replace the paths to platform.pk8 and platform.x509.pem according to the actual signature file locations for your platform.

$ java -Xmx2048m -Djava.library.path="out/host/linux-x86/lib64" \
-jar out/host/linux-x86/framework/signapk.jar  --disable-v2 \
-w device/rockchip/common/security/platform.x509.pem \
device/rockchip/common/security/platform.pk8 \
old.apk new.apk

Note

java – Launches the Java Virtual Machine (JVM).
-Xmx2048m – Sets the maximum heap size to 2048 MB to avoid out‑of‑memory errors during signing.
-Djava.library.path="out/host/linux-x86/lib64" – Specifies the search path for native libraries (C/C++).
-jar out/host/linux-x86/framework/signapk.jar – Runs the official Android APK signing tool from the source tree.
--disable-v2 – Disables APK Signature Scheme v2 (uses only v1 signing).
v1 (JAR‑based) is more compatible but less secure; v2 (introduced in Android 7.0+) signs the entire APK and is more secure.
Disabling v2 is usually done for compatibility with older systems or custom ROMs.
-w platform.x509.pem – Specifies the public key certificate; -w verifies certificate chain integrity.
platform.pk8 – Specifies the private key paired with the above certificate.
old.apk – The original APK to be signed (unsigned, pre‑signed, or signed with a different key).
new.apk – The output path/filename for the signed APK.

Via Android.mk

Add the platform signing configuration:

LOCAL_CERTIFICATE := platform

Example:

LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE := Test
LOCAL_MODULE_CLASS := APPS
LOCAL_MODULE_TAGS := optional
LOCAL_BUILT_MODULE_STEM := package.apk
LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)
LOCAL_CERTIFICATE := platform
LOCAL_SRC_FILES := Test.apk
include $(BUILD_PREBUILT)

Viewing APK Signature Information

apksigner verify -v --print-certs test.apk