Android App Signing

Why are they important?

• They uniquely identify your signing certificate
• API providers use them to ensure requests come from your legitimate app
• Debug and release keystores produce different fingerprints, which is why APIs often require both

How can you retrieve them?

You can extract the fingerprints using the keytool command:

For SHA-1:

keytool -list -v -keystore your-release-key.jks -alias yourAlias -storepass yourStorePass -keypass yourKeyPass | grep SHA1

For SHA-256:

keytool -list -v -keystore your-release-key.jks -alias yourAlias -storepass yourStorePass -keypass yourKeyPass | grep SHA-256

If you want the full certificate details (without grep):

keytool -list -v -keystore your-release-key.jks -alias yourAlias

APK Signing

An APK is a fully installable artifact and must be signed before installation. The signing process is final and visible on the file itself.

Key characteristics:

• APKs are signed locally using a keystore
• Signature details can be inspected directly using apksigner
• APKs may include multiple signature schemes at the same time

Supported APK Signature Schemes:

• v1 (JAR signing): Required for very old Android versions
• v2: Default for modern Android versions
• v3: Adds key rotation support
• v4: Optimized for incremental installation

In practice, most release APKs are signed with v2 and v3 together to ensure broad compatibility.

AAB Signing

An AAB (Android App Bundle) is not a final installable artifact. It is uploaded to Google Play where the signing process is completed.

Key characteristics:

• AABs uploaded to Google Play are typically signed with an upload key, if Play App Signing is enabled
• Google Play verifies the upload key and then re-signs the generated APKs using the App Signing Key
• Signature scheme details (v1–v4) are applied by Google Play, not locally

Because of this model:

• Signature scheme versions cannot be fully inspected on the AAB itself
• Final signing details are only present on the APK artifacts generated by Google Play

Side-by-Side Comparison

Understanding these differences helps prevent signature mismatch, update failures, and unexpected Play Store rejections.

When Are Multiple Signature Schemes Applied?

By default, current Android build tools sign APKs using multiple signature schemes in a single artifact.

Typical default behavior:

• Typically v2 and v3 are applied by default. v1 may also be included for backward compatibility, depending on minSdkVersion.
• v1 ensures compatibility with very old Android versions
• v2 and v3 provide stronger integrity checks and support features like key rotation

This multi-scheme approach allows the same APK to:

• Install on older devices
• Benefit from modern security guarantees on newer Android versions

What Each Signature Scheme Is Used For?

• v1 (JAR Signing): Legacy scheme required only for very old Android versions.
• v2 (APK Signature Scheme v2): Default and required for modern Android devices. Improves verification performance and security.
• v3 (APK Signature Scheme v3): Extends v2 and enables signing key rotation, allowing a new key to replace an old one without breaking app updates.
• v4 (APK Signature Scheme v4): Used for incremental installation and fast deployment. It does not replace v2 or v3 and is applied alongside them when supported.

Which Signature Schemes Are Required by Google Play?

• v2 (or higher) is required for all new apps uploaded to Google Play.
• v1 alone is not sufficient for Play Store distribution.
• For AAB uploads, Google Play applies the required signature schemes automatically when generating APKs.
• Developers do not need to manually configure signature schemes for AABs; Google Play enforces the correct defaults.

What causes package name mismatch?

This error occurs when the applicationId (package name) of the new build does not match the package name of the already installed app or the one registered in Google Play.

Common causes include:

• Re-signing an APK built from a different product flavor or build variant
• Modifying the applicationId during the build process
• Attempting to update an existing app with a package that was originally built for a different app identity

Result: Android treats the app as a completely different application and blocks the update.

What causes package not found errors?

This error typically appears when the system or installer cannot associate the new artifact with an existing installed package.

Common causes include:

• Re-signing an APK and attempting to install it as an update, while the original app was signed with a different keystore
• Trying to update an app that was installed from Google Play using a locally re-signed APK
• Mismatched signing certificates between the installed app and the new build

Result: The device cannot find a matching package to update and rejects the installation.

Why does signature mismatch prevent app updates?

Android uses the signing certificate as the app's primary identity.

If the certificate changes, Android assumes the app comes from a different developer, even if the package name is the same.

This commonly happens when:

• An app is re-signed with a different keystore
• Debug and release keystores are mixed
• Re-signing is performed without using the original signing key

Result: Android blocks the update to protect users from potentially unsafe app replacements.

Checking APK Signing Details with apksigner

For APK files, apksigner is the most reliable tool. It provides detailed information about signature schemes and certificate validity.

apksigner verify --verbose --print-certs app-release.apk

This command allows you to verify:

• Whether the APK is signed
• Which signature schemes are used (v1, v2, v3, v4)
• Certificate details such as:
• Subject / Issuer
• SHA-1 and SHA-256 fingerprints
• Certificate validity period (Not Before / Not After)

This is the recommended way to confirm signature scheme versions, especially when diagnosing installation or update issues.

Inspecting Certificate Details with keytool

If you have access to the keystore file, you can inspect the certificate directly using keytool:

keytool -list -v -keystore release-key.jks -alias yourAlias

This command outputs:

• Certificate owner and issuer
• Validity period (expiration date)
• SHA-1 / SHA-256 fingerprints
• Key algorithm and size

This method is useful for checking whether a certificate is expired or about to expire, which can cause unexpected build or release failures.

How should keystore files be managed securely?

Keystore files should be treated as high-sensitivity secrets.

Best practices include:

• Store keystores in secure credential storage, not on the build agent filesystem
• Use encrypted secret management mechanisms provided by the CI/CD platform
• Restrict access based on least privilege
• Rotate upload keys when possible and supported
• Monitor certificate expiration dates proactively

Keystores should only be injected into the pipeline at runtime and removed immediately after use.

Why should signing files not be committed to repositories?

Committing a signing file to a repository introduces serious security risks:

• Anyone with repository access can potentially extract the key
• Accidental leaks (forks, logs, backups) are difficult to control
• A compromised keystore can permanently block app updates

Once a signing key is leaked, it cannot be revoked or replaced easily, especially for production apps already published to Google Play or Huawei AppGallery.

Recommendation: Never store signing files in version control systems, even in private repositories.

How does Appcircle handle signing credentials?

Appcircle provides a secure signing workflow designed specifically for CI/CD environments:

• Keystore files are stored in encrypted credential storage
• Keystore files can be downloaded by authorized users within your Appcircle organization
• Passwords and aliases are managed as secure environment variables
• Keystore and alias passwords cannot be retrieved after being stored, even by fully authorized users within the Appcircle organization
• Signing credentials are injected only during the Android Sign step
• Keystores are not exposed to build logs or artifacts
• Access can be restricted per project or pipeline

This approach minimizes the risk of credential exposure while ensuring consistent and repeatable signing across environments.