Hi,
I need to update an app on Google play store to meet the latest API level requirements.
Before, the process was:
ionic cordova build --release android
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my.keystore myapp.apk myalias
zipalign.exe -v 4 myapp.apk final.apk
- brief testing on device
- upload
this was done following Publishing Your Android or iOS App in Google Play & App Store - Ionic Framework
when I tried this time:
jarsigner told me the following
The SHA1 algorithm specified for the -digestalg option is considered a security risk. This algorithm will be disabled in a future update.
The SHA1withRSA algorithm specified for the -sigalg option is considered a security risk. This algorithm will be disabled in a future update.
and the app was not installable on devices.
After some research, I learned
- APK Signature Scheme v2 now required (Behavior changes: Apps targeting Android 11 | Android Developers)
- “APK Signature Scheme v2” is supported only by “apksigner” not by “jarsigner”
so, now the process is
ionic cordova build --release android
zipalign.exe -v 4 myapp.apk final.apk
apksigner sign --ks my.keystore final.apk --ks-key-alias myalias
Verifying this with apksigner I get
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
and verifying certs gives
Signer #1 certificate DN: abc
Signer #1 certificate SHA-256 digest: def
Signer #1 certificate SHA-1 digest: ghi
Signer #1 certificate MD5 digest: jkl
using this, I can install the app on an Android 11 device, but not on Android 13.
So, as this app can be installed as well as being used in the intended manner on Android 11, it seems that the process is correct at least to the point of building the unsigned apk.
The first google hit still leads to the above mentioned article mentioning jarsigner, which does no longer apply to meet current API requirements. As well does Android Play Store Deployment: Publish Your Ionic Apps for ionic v6, it lists jarsigner with SHA1 and SHA1withRSA.
What are the correct steps to manually sign an apk in 02/2023?
kind regards