-
Notifications
You must be signed in to change notification settings - Fork 1
APK Signing
wody edited this page May 24, 2026
·
2 revisions
Introduced in v0.28.0. Every build detail page runs
apksigner verify --verbose --print-certs on the produced APK and shows
the result inline.
- Before uploading to Play Console (especially
production) you want to confirm the APK is signed with the correct release keystore. - A SHA-256 fingerprint mismatch in an upload is one of the most painful troubleshooting paths in Android — Play returns a generic "wrong signature" error long after the upload completes.
- Inline display lets you check at a glance instead of:
apksigner verify --verbose --print-certs <path>from a shell + finding the path.
For each generated APK:
| Field | Meaning |
|---|---|
| verified badge | Did apksigner verify exit 0 + find at least one active scheme + not contain "DOES NOT VERIFY"? |
| Active schemes |
v1 (JAR signing) / v2 (APK Signature Scheme v2) / v3 / v4
|
| Signer #N — DN | Subject distinguished name (e.g. CN=Jangwook Lee, OU=Mobile, O=Sia Makerlab, …) |
| Signer #N — SHA-256 | Certificate fingerprint, 4-character grouped |
-
ApkSignerInspector.locateApksigner()walks$ANDROID_HOME/build-tools/<version>/apksignerand picks the newest semver directory. - Output is parsed by regex (
Regex("Verified using (v\\d) scheme.*: (true|false)"),Regex("Signer #(\\d+) certificate SHA-256 digest: ([0-9a-fA-F:]+)"), …) — best-effort. Futureapksignerreleases that change wording will fall through to "could not extract". - 30 s timeout on the verify call.
- If SDK or build-tools are missing, the card shows a graceful warning ("ANDROID_HOME 미설정" / "apksigner 를 찾을 수 없습니다") — the rest of the build detail page is unaffected.
- Debug builds use the default Android debug keystore — SHA-256 fingerprint will match whatever debug keystore the SDK ships with on the build host.
- Release builds need a configured signing config (see Architecture §Keystore generation for the optional REST API). The fingerprint here is what Play / TestFlight will pin to your app forever — verify it matches your reference fingerprint.
- Build pipeline: Build Environment.
- Upload to stores: Publishing to Stores.
- Keystore generation API: see the keystore section in REST API Reference.