App Signing¶
This chapter describes how to apply system signing to an application in the Android system.
Obtaining APK Signing Keys¶
Tip
The keys can be obtained from the SDK path of the board platform, or from the cloud storage link for the specific board model.
| Model | SoC | SDK | Key Path | Cloud Storage |
|---|---|---|---|---|
| K5 / K5C | A133 | a133-android10.0 | android/build/target/product/security/ |
Download |
| K2B / K2C | H618 | h618-android12.0 | build/target/product/security/ |
Download |
| K10B | A733 | a733-android13.0 | build/target/product/security/ |
Download |
| K1 MINI / K3 / K8 / K8D / K11C / TX66 | RK356x-RK3588 | rk-android13.0 | device/rockchip/common/security/ |
Download |
| K1 MINI / K3B / K8D / K11C | RK356x-RK3588 | rk-android14.0 | build/target/product/security/ |
Download |
| K7 / K7C / K7S_K7F | RK3576 | rk3576-android14.0 | build/target/product/security/ |
Download |
| K9 | T527 | t527-android13.0 | build/target/product/security/ |
Download |
Creating a JKS Keystore¶
1. Place the system signature files and keytool-importkeypair in the same directory.
2. Use keytool-importkeypair to generate the JKS file.
keytool-importkeypair usage:
keytool-importkeypair: Missing option, exiting...
usage: keytool-importkeypair [-k keystore] [-p storepass]
-pk8 pk8 -cert cert -alias key_alias
This script is used to import a key/certificate pair
into a Java keystore.
If a keystore is not specified then the key pair is imported into
~/.keystore in the user's home directory.
The passphrase can also be read from stdin.
Example:
./keytool-importkeypair -k ./platform.jks -p android -pk8 platform.pk8 -cert platform.x509.pem -alias android
Note
-k ./platform.jks – Specifies the output JKS filename as platform.jks
-p android – Sets the password to android
-pk8 platform.pk8 – Specifies the path to the PK8 private key file
-cert platform.x509.pem – Specifies the path to the PEM certificate file
-alias android – Sets the alias to android
Signing an APK with System Signature¶
Via Android Studio¶
1. Go to Build → Generate Signed App / Bundle and select Generate Signed APK.

2. Select APK (selecting App Bundle generates an .aab file).

3. Select the system JKS keystore and enter the corresponding alias and passwords.

Via apksigner¶
apksigner usage:
USAGE: apksigner <command> [options]
apksigner --version
apksigner --help
EXAMPLE:
apksigner sign --ks release.jks app.apk
apksigner verify --verbose app.apk
apksigner is a tool for signing Android APK files and for checking whether
signatures of APK files will verify on Android devices.
COMMANDS
rotate Add a new signing certificate to the SigningCertificateLineage
sign Sign the provided APK
verify Check whether the provided APK is expected to verify on
Android
lineage Modify the capabilities of one or more signers in an existing
SigningCertificateLineage
version Show this tool's version number and exit
help Show this usage page and exit
Example:
Note
--ks platform.jks – Specifies the path to the JKS keystore.
--ks-key-alias android – Must match the alias in the JKS keystore.
--out app-signed.apk – Specifies the output filename for the signed APK.
app-debug.apk – Specifies the path to the APK to be signed.
Via Java Command Line¶
Re‑sign the APK in the source tree (ensure the source has been built).
1. Set up the Android Java environment.
// H618
source build/envsetup.sh && source device/softwinner/.BoardConfig.mk && lunch apollo_p2-userdebug
// A133
source build/envsetup.sh && lunch ceres_c3-userdebug
// A733
source build/envsetup.sh && lunch a733_demo_aiot_arm64-userdebug
// RK3562 / RK3568 / RK3576 / RK3588
./build.sh lunch && source device/rockchip/.BoardConfig.mk && source build/envsetup.sh && lunch \$TARGET_PRODUCT-\$BUILD_VARIANT
// T527
source build/envsetup.sh && lunch t527_demo_arm64-userdebug
2. Sign the APK using the Java command.
Tip
Replace the paths to platform.pk8 and platform.x509.pem according to the actual signature file locations for your platform.
$ java -Xmx2048m -Djava.library.path="out/host/linux-x86/lib64" \
-jar out/host/linux-x86/framework/signapk.jar --disable-v2 \
-w device/rockchip/common/security/platform.x509.pem \
device/rockchip/common/security/platform.pk8 \
old.apk new.apk
Note
java – Launches the Java Virtual Machine (JVM).
-Xmx2048m – Sets the maximum heap size to 2048 MB to avoid out‑of‑memory errors during signing.
-Djava.library.path="out/host/linux-x86/lib64" – Specifies the search path for native libraries (C/C++).
-jar out/host/linux-x86/framework/signapk.jar – Runs the official Android APK signing tool from the source tree.
--disable-v2 – Disables APK Signature Scheme v2 (uses only v1 signing).
v1 (JAR‑based) is more compatible but less secure; v2 (introduced in Android 7.0+) signs the entire APK and is more secure.
Disabling v2 is usually done for compatibility with older systems or custom ROMs.
-w platform.x509.pem – Specifies the public key certificate; -w verifies certificate chain integrity.
platform.pk8 – Specifies the private key paired with the above certificate.
old.apk – The original APK to be signed (unsigned, pre‑signed, or signed with a different key).
new.apk – The output path/filename for the signed APK.
Via Android.mk¶
Add the platform signing configuration:
Example:
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE := Test
LOCAL_MODULE_CLASS := APPS
LOCAL_MODULE_TAGS := optional
LOCAL_BUILT_MODULE_STEM := package.apk
LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)
LOCAL_CERTIFICATE := platform
LOCAL_SRC_FILES := Test.apk
include $(BUILD_PREBUILT)