Signing ionic v6 apk

Hi,

I need to update an app on Google play store to meet the latest API level requirements.
Before, the process was:

• ionic cordova build --release android
• jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my.keystore myapp.apk myalias
• zipalign.exe -v 4 myapp.apk final.apk
• brief testing on device
• upload

this was done following Publishing Your Android or iOS App in Google Play & App Store - Ionic Framework

when I tried this time:
jarsigner told me the following

The SHA1 algorithm specified for the -digestalg option is considered a security risk. This algorithm will be disabled in a future update.
The SHA1withRSA algorithm specified for the -sigalg option is considered a security risk. This algorithm will be disabled in a future update.

and the app was not installable on devices.

After some research, I learned

• APK Signature Scheme v2 now required (Cambios en el comportamiento: apps orientadas a Android 11  |  Desarrolladores de Android  |  Android Developers)
• “APK Signature Scheme v2” is supported only by “apksigner” not by “jarsigner”

so, now the process is

• ionic cordova build --release android
• zipalign.exe -v 4 myapp.apk final.apk
• apksigner sign --ks my.keystore final.apk --ks-key-alias myalias

Verifying this with apksigner I get

Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1

and verifying certs gives

Signer #1 certificate DN: abc
Signer #1 certificate SHA-256 digest: def
Signer #1 certificate SHA-1 digest: ghi
Signer #1 certificate MD5 digest: jkl

using this, I can install the app on an Android 11 device, but not on Android 13.

So, as this app can be installed as well as being used in the intended manner on Android 11, it seems that the process is correct at least to the point of building the unsigned apk.

The first google hit still leads to the above mentioned article mentioning jarsigner, which does no longer apply to meet current API requirements. As well does Android Play Store Deployment: Publish Your Ionic Apps for ionic v6, it lists jarsigner with SHA1 and SHA1withRSA.

What are the correct steps to manually sign an apk in 02/2023?

kind regards

Hi! This response might come a little too late, but these are the steps that have worked for me in the past months.

After the upgrade to Angular 13 and Cordova 11, the --prod build command generates an .aab file. This aab file must be converted to apk and signed. So, from Generate an APK file from an AAB file (Android app bundle) - Stack Overflow I got the following workflow:

1. Download the bundletool jar from android github. I placed it on my app’s root folder and renamed the jar to bundletool.jar for easier execution. Source: Releases · google/bundletool · GitHub

2. Run command: ionic cordova build android --prod --release

3. Run command: java -jar "bundletool.jar" build-apks --bundle=platforms/android/app/build/outputs/bundle/release/app-release.aab --output=builds.apks --mode=universal --ks="MyApp.keystore" --ks-pass=pass:mypasscode --ks-key-alias=myalias --key-pass=pass:mypasscode
   A file “builds.apks” will be generated.

4. Rename builds.apks to builds.zip

5. Unzip builds.zip. Inside you will find the signed apk with the name universal.apk.

I’d love to know if there is an updated or less complicated way of generating signed apks or if the popular suggestion is migrating to AAB.