{"id":13498343,"url":"https://github.com/patrickfav/uber-apk-signer","last_synced_at":"2025-07-03T19:33:24.190Z","repository":{"id":37633250,"uuid":"70518964","full_name":"patrickfav/uber-apk-signer","owner":"patrickfav","description":"A cli tool that helps signing and zip aligning single or multiple Android application packages (APKs) with either debug or provided release certificates. It supports v1, v2 and v3 Android signing scheme has an embedded debug keystore and auto verifies after signing.","archived":false,"fork":false,"pushed_at":"2023-10-30T09:18:40.000Z","size":7943,"stargazers_count":2179,"open_issues_count":12,"forks_count":216,"subscribers_count":36,"default_branch":"main","last_synced_at":"2025-04-15T02:11:16.952Z","etag":null,"topics":["android","android-signing-scheme","apk","apksigner","cli","keystore","signature","signing","verify","zipalign"],"latest_commit_sha":null,"homepage":"https://favr.dev/opensource/uber-apk-signer","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/patrickfav.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-10-10T18:56:44.000Z","updated_at":"2025-04-14T12:23:37.000Z","dependencies_parsed_at":"2022-07-12T16:34:48.841Z","dependency_job_id":"e9ff9e92-392d-4e5f-a72a-3ef671933e82","html_url":"https://github.com/patrickfav/uber-apk-signer","commit_stats":null,"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patrickfav%2Fuber-apk-signer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patrickfav%2Fuber-apk-signer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patrickfav%2Fuber-apk-signer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patrickfav%2Fuber-apk-signer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/patrickfav","download_url":"https://codeload.github.com/patrickfav/uber-apk-signer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254346624,"owners_count":22055808,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","android-signing-scheme","apk","apksigner","cli","keystore","signature","signing","verify","zipalign"],"created_at":"2024-07-31T21:00:23.008Z","updated_at":"2025-05-15T13:06:16.748Z","avatar_url":"https://github.com/patrickfav.png","language":"Java","funding_links":[],"categories":["Java","Java (504)","\u003ca id=\"2110ded2aa5637fa933cc674bc33bf21\"\u003e\u003c/a\u003e工具","Utility","Misc"],"sub_categories":["\u003ca id=\"50f63dce18786069de2ec637630ff167\"\u003e\u003c/a\u003e加壳\u0026\u0026脱壳","Case Studies"],"readme":"# Uber Apk Signer\nA tool that helps to sign, [zip aligning](https://developer.android.com/studio/command-line/zipalign.html) and verifying\nmultiple Android application packages (APKs) with either debug or provided release certificates (or multiple). It\nsupports [v1, v2](https://developer.android.com/about/versions/nougat/android-7.0.html#apk_signature_v2), [v3 Android signing scheme](https://source.android.com/security/apksigning/v3)\nand  [v4 Android signing scheme](https://source.android.com/security/apksigning/v4). Easy and convenient debug signing\nwith embedded debug keystore. Automatically verifies signature and zipalign after every signing.\n\n[![GitHub release](https://img.shields.io/github/release/patrickfav/uber-apk-signer.svg)](https://github.com/patrickfav/uber-apk-signer/releases/latest)\n[![Github Actions](https://github.com/patrickfav/uber-apk-signer/actions/workflows/build_deploy.yml/badge.svg)](https://github.com/patrickfav/uber-apk-signer/actions)\n[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=patrickfav_uber-apk-signer\u0026metric=coverage)](https://sonarcloud.io/summary/new_code?id=patrickfav_uber-apk-signer)\n[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=patrickfav_uber-apk-signer\u0026metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=patrickfav_uber-apk-signer)\n\nMain features:\n\n* zipalign, (re)signing and verifying of multiple APKs in one step\n* verify signature (with hash check) and zipalign of multiple APKs in one step\n* built-in zipalign \u0026 debug keystore for convenient usage\n* supports v1, v2, v3 and v4 android apk singing scheme\n* support for multiple signatures for one APK\n* crypto/signing code relied upon official implementation\n\nBasic usage:\n\n    java -jar uber-apk-signer.jar --apks /path/to/apks\n\nThis should run on any Windows, Mac or Linux machine where JDK8 is installed. \n\n### Requirements\n\n* JDK 8\n* Currently on Linux 32bit: zipalign must be set in `PATH`\n\n## Download\n\n[Grab jar from the latest Release](https://github.com/patrickfav/uber-apk-signer/releases/latest)\n\n## Demo\n\n[![asciicast](https://asciinema.org/a/91092.png)](https://asciinema.org/a/91092)\n\n## Command Line Interface\n\n    -a,--apks \u003cfile/folder\u003e           Can be a single apk or a folder containing multiple apks. These are used\n                                      as source for zipalining/signing/verifying. It is also possible to\n                                      provide multiple locations space seperated (can be mixed file folder):\n                                      '/apk /apks2 my.apk'. Folder will be checked non-recursively.\n       --allowResign                  If this flag is set, the tool will not show error on signed apks, but\n                                      will sign them with the new certificate (therefore removing the old\n                                      one).\n       --debug                        Prints additional info for debugging.\n       --dryRun                       Check what apks would be processed without actually doing anything.\n    -h,--help                         Prints help docs.\n       --ks \u003ckeystore\u003e                The keystore file. If this isn't provided, will tryto sign with a debug\n                                      keystore. The debug keystore will be searched in the same dir as\n                                      execution and 'user_home/.android' folder. If it is not found there a\n                                      built-in keystore will be used for convenience. It is possible to pass\n                                      one or multiple keystores. The syntax for multiple params is\n                                      '\u003cindex\u003e=\u003ckeystore\u003e' for example: '1=keystore.jks'. Must match the\n                                      parameters of --ksAlias.\n       --ksAlias \u003calias\u003e              The alias of the used key in the keystore. Must be provided if --ks is\n                                      provided. It is possible to pass one or multiple aliases for multiple\n                                      keystore configs. The syntax for multiple params is '\u003cindex\u003e=\u003calias\u003e'\n                                      for example: '1=my-alias'. Must match the parameters of --ks.\n       --ksDebug \u003ckeystore\u003e           Same as --ks parameter but with a debug keystore. With this option the\n                                      default keystore alias and passwords are used and any arguments relating\n                                      to these parameter are ignored.\n       --ksKeyPass \u003cpassword\u003e         The password for the key. If this is not provided, caller will get a\n                                      user prompt to enter it. It is possible to pass one or multiple\n                                      passwords for multiple keystore configs. The syntax for multiple params\n                                      is '\u003cindex\u003e=\u003cpassword\u003e'. Must match the parameters of --ks.\n       --ksPass \u003cpassword\u003e            The password for the keystore. If this is not provided, caller will get\n                                      a user prompt to enter it. It is possible to pass one or multiple\n                                      passwords for multiple keystore configs. The syntax for multiple params\n                                      is '\u003cindex\u003e=\u003cpassword\u003e'. Must match the parameters of --ks.\n    -l,--lineage \u003cpath\u003e               The lineage file for apk signer schema v3 if more then 1 signature is\n                                      used. See here https://bit.ly/2mh6iAC for more info.\n    -o,--out \u003cpath\u003e                   Where the aligned/signed apks will be copied to. Must be a folder. Will\n                                      create, if it does not exist.\n       --overwrite                    Will overwrite/delete the apks in-place\n       --skipZipAlign                 Skips zipAlign process. Also affects verify.\n    -v,--version                      Prints current version.\n       --verbose                      Prints more output, especially useful for sign verify.\n       --verifySha256 \u003ccert-sha256\u003e   Provide one or multiple sha256 in string hex representation (ignoring\n                                      case) to let the tool check it against hashes of the APK's certificate\n                                      and use it in the verify process. All given hashes must be present in\n                                      the signature to verify e.g. if 2 hashes are given the apk must have 2\n                                      signatures with exact these hashes (providing only one hash, even if it\n                                      matches one cert, will fail).\n    -y,--onlyVerify                   If this is passed, the signature and alignment is only verified.\n       --zipAlignPath \u003cpath\u003e          Pass your own zipalign executable. If this is omitted the built-in\n                                      version is used (available for win, mac and linux)\n\n### Examples\n\nProvide your own out directory for signed apks\n\n    java -jar uber-apk-signer.jar -a /path/to/apks --out /path/to/apks/out\n\nOnly verify the signed apks\n\n    java -jar uber-apk-signer.jar -a /path/to/apks --onlyVerify\n\nSign with your own release keystore\n\n    java -jar uber-apk-signer.jar -a /path/to/apks --ks /path/release.jks --ksAlias my_alias\n\nProvide your own zipalign executable\n\n    java -jar uber-apk-signer.jar -a /path/to/apks --zipAlignPath /sdk/build-tools/24.0.3/zipalign\n\nProvide your own location of your debug keystore\n\n    java -jar uber-apk-signer.jar -a /path/to/apks --ksDebug /path/debug.jks\n\nSign with your multiple release keystores (see below on how to create a lineage file)\n\n    java -jar uber-apk-signer.jar -a /path/to/apks --lineage /path/sig.lineage --ks 1=/path/release.jks 2=/path/release2.jks --ksAlias 1=my_alias1 2=my_alias2\n\nUse multiple locations or files (will ignore duplicate files)\n\n    java -jar uber-apk-signer.jar -a /path/to/apks /path2 /path3/select1.apk /path3/select2.apk\n\nProvide your sha256 hash to check against the signature:\n\n    java -jar uber-apk-signer.jar -a /path/to/apks --onlyVerify --verifySha256 ab318df27\n\n\n### Process Return Value\n\nThis application will return `0` if every signing/verifying was successful, `1` if an error happens (e.g. wrong arguments) and `2` if at least 1 sign/verify process was not successful.\n\n### Debug Signing Mode\n\nIf no keystore is provided the tool will try to automatically sign with a debug keystore. It will try to find on in the following locations (descending order):\n\n* Keystore location provided with `--ksDebug`\n* `debug.keystore` in the same directory as the jar executable\n* `debug.keystore` found in the `/user_home/.android` folder\n* Embedded `debug.keystore` packaged with the jar executable\n\nA log message will indicate which one was chosen.\n\n### Zipalign Executable\n\n[`Zipalign`](https://developer.android.com/studio/command-line/zipalign.html) is a tool developed by Google to optimize zips (apks). It is needed if you want to upload it to the Playstore otherwise it is optional. By default, this tool will try to zipalign the apk, therefore it will need the location of the executable. If the path isn't passed in the command line interface, the tool checks if it is in `PATH` environment variable, otherwise it will try to use an embedded version of zipalign. \n\nIf `--skipZipAlign` is passed no executable is needed.\n\n### v1, v2 and v3 Signing Scheme\n\n[Android 7.0 introduces APK Signature Scheme v2](https://developer.android.com/about/versions/nougat/android-7.0.html#apk_signature_v2), a new app-signing scheme that offers faster app install times and more protection against unauthorized alterations to APK files. By default, Android Studio 2.2 and the Android Plugin for Gradle 2.2 sign your app using both APK Signature Scheme v2 and the traditional signing scheme, which uses JAR signing.\n\n[APK Signature Scheme v2 is a whole-file signature scheme](https://source.android.com/security/apksigning/v2.html) that increases verification speed and strengthens integrity guarantees by detecting any changes to the protected parts of the APK. The older jarsigning is called v1 schema.\n\n[APK Signature Scheme v3](https://source.android.com/security/apksigning/v3) is an extension to v2 which allows a new signature lineage feature for key rotation, which basically means it will be possible to change signature keys.\n\n#### Signature Lineage File in Schema v3\n\nThis tool does not directly support the creation of lineage files as it is considered a task done very rarely. You can create a lineage file with a sequence of certificates with [Google's `apksigner rotate`](https://developer.android.com/studio/command-line/apksigner.html#options-sign-general) and apply it as `-- lineage` arguments when signing with multiple keystores:\n\n    apksigner rotate --out sig.lineage \\\n        --old-signer --ks debug1.keystore --ks-key-alias androiddebugkey \\\n        --new-signer --ks debug2.keystore --ks-key-alias androiddebugkey\n\n    java -jar uber-apk-signer.jar -a /path/to/apks --lineage sig.lineage (...)\n\n## Signed Release Jar\n\nThe provided JARs in the GitHub release page are signed with my private key:\n\n    CN=Patrick Favre-Bulle, OU=Private, O=PF Github Open Source, L=Vienna, ST=Vienna, C=AT\n    Validity: Thu Sep 07 16:40:57 SGT 2017 to: Fri Feb 10 16:40:57 SGT 2034\n    SHA1: 06:DE:F2:C5:F7:BC:0C:11:ED:35:E2:0F:B1:9F:78:99:0F:BE:43:C4\n    SHA256: 2B:65:33:B0:1C:0D:2A:69:4E:2D:53:8F:29:D5:6C:D6:87:AF:06:42:1F:1A:EE:B3:3C:E0:6D:0B:65:A1:AA:88\n\nUse the jarsigner tool (found in your `$JAVA_HOME/bin` folder) folder to verify.\n\n### Build with Maven\n\nUse the Maven wrapper to create a jar including all dependencies\n\n    ./mvnw clean install\n\n### Checkstyle Config File\n\nThis project uses my [`common-parent`](https://github.com/patrickfav/mvn-common-parent) which centralized a lot of\nthe plugin versions as well as providing the checkstyle config rules. Specifically they are maintained in [`checkstyle-config`](https://github.com/patrickfav/checkstyle-config). Locally the files will be copied after you `mvnw install` into your `target` folder and is called\n`target/checkstyle-checker.xml`. So if you use a plugin for your IDE, use this file as your local configuration.\n\n## Tech-Stack\n\n* Java 8\n* Maven\n\n# License\n\nCopyright 2016 Patrick Favre-Bulle\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatrickfav%2Fuber-apk-signer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpatrickfav%2Fuber-apk-signer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatrickfav%2Fuber-apk-signer/lists"}