Android app signing proves that an APK or generated split APKs come from the expected developer key. A release workflow should zipalign the artifact, sign it with the correct scheme and keystore, and verify the signature before distribution.
Signing Concepts
Android supports multiple APK signature schemes. V1 provides legacy JAR signing compatibility. V2 and V3 protect more of the APK structure and are required for modern distribution expectations. The right combination depends on your minimum Android version and release channel.
For Play Store releases, signing may involve both your upload key and Google Play App Signing. For direct distribution, your release keystore remains the key identity users depend on for updates.
Manual Workflow
- Build an unsigned or release-ready APK.
- Run
zipalignbefore signing when needed. - Sign with
apksignerusing the release keystore and alias. - Enable the signature schemes required by your target devices.
- Verify the final APK with
apksigner verify --verbose --print-certs. - Install the signed artifact on a test device before distribution.
Checks Before Publishing
| Check | Tool | Why |
|---|---|---|
| Zip alignment | zipalign -c | Confirms optimized APK alignment. |
| Signature schemes | apksigner verify | Confirms expected v1/v2/v3 coverage. |
| Certificate fingerprint | apksigner --print-certs | Confirms the correct key signed the artifact. |
| Install test | adb install | Catches install-time signing or compatibility problems. |
Common Mistakes
- Signing before zipalign. Re-aligning after signing can invalidate signatures.
- Using the debug keystore. Debug signatures are not appropriate for production releases.
- Losing keystore credentials. Without key continuity, existing users may not be able to update.
- Skipping verification. A signed APK should still be verified before upload or distribution.
How ADB Pro Helps
Signing Tools provides APK signing, zipalign, signature verification, keystore management, and favorite signing configurations from the IDE. AAB Tools uses signing configuration during AAB-to-APKS workflows, and Release Readiness checks signing status before release.
FAQ
Should I use v1, v2, or v3 signatures?
Modern releases normally use v2 and often v3, while v1 is kept only when legacy device compatibility is required.
Is zipalign still necessary?
Yes. It remains part of a clean release workflow and should happen before final signing.
Can I store passwords in Gradle files?
Avoid plain-text secrets in source files. Use secure credential storage, environment variables, or IDE password storage where appropriate.