Signing ionic v6 apk

Llarian · February 8, 2023, 10:18am

Hi,

I need to update an app on Google play store to meet the latest API level requirements.
Before, the process was:

ionic cordova build --release android
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my.keystore myapp.apk myalias
zipalign.exe -v 4 myapp.apk final.apk
brief testing on device
upload

this was done following Publishing Your Android or iOS App in Google Play & App Store - Ionic Framework

when I tried this time:
jarsigner told me the following

The SHA1 algorithm specified for the -digestalg option is considered a security risk. This algorithm will be disabled in a future update.
The SHA1withRSA algorithm specified for the -sigalg option is considered a security risk. This algorithm will be disabled in a future update.

and the app was not installable on devices.

After some research, I learned

APK Signature Scheme v2 now required (Behavior changes: Apps targeting Android 11 | Android Developers)
“APK Signature Scheme v2” is supported only by “apksigner” not by “jarsigner”

so, now the process is

ionic cordova build --release android
zipalign.exe -v 4 myapp.apk final.apk
apksigner sign --ks my.keystore final.apk --ks-key-alias myalias

Verifying this with apksigner I get

Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1

and verifying certs gives

Signer #1 certificate DN: abc
Signer #1 certificate SHA-256 digest: def
Signer #1 certificate SHA-1 digest: ghi
Signer #1 certificate MD5 digest: jkl

using this, I can install the app on an Android 11 device, but not on Android 13.

So, as this app can be installed as well as being used in the intended manner on Android 11, it seems that the process is correct at least to the point of building the unsigned apk.

The first google hit still leads to the above mentioned article mentioning jarsigner, which does no longer apply to meet current API requirements. As well does Android Play Store Deployment: Publish Your Ionic Apps for ionic v6, it lists jarsigner with SHA1 and SHA1withRSA.

What are the correct steps to manually sign an apk in 02/2023?

kind regards