USAGE: apksigner sign [options] apk

This signs the provided APK using one or more signers, each represented by
an asymmetric key pair and a corresponding certificate. Typically, an APK is
signed by just one signer. For each signer, you need to provide the signer's
private key and certificate.


        OPTIONS

--out                 File into which to output the signed APK. By default, the
                      APK is signed in-place, overwriting the input file.

--min-sdk-version     Lowest API Level on which this APK's signatures will be
                      verified. By default, the value from AndroidManifest.xml
                      is used. The higher the value, the stronger security
                      parameters are used when signing.

--max-sdk-version     Highest API Level on which this APK's signatures will be
                      verified. By default, the highest possible value is used.

--v1-signing-enabled  Whether to enable signing using JAR signing scheme (aka v1
                      signing scheme, the one used in Android since day one). By
                      default, signing using this scheme is enabled based on min
                      and max SDK version (see --min-sdk-version and
                      --max-sdk-version).

--v2-signing-enabled  Whether to enable signing using APK Signature Scheme v2
                      (aka v2 signing scheme, the one introduced in Android
                      Nougat, API Level 24). By default, signing using this
                      scheme is enabled based on min and max SDK version (see
                      --min-sdk-version and --max-sdk-version).

-v, --verbose         Verbose output mode

-h, --help            Show help about this command and exit


        PER-SIGNER OPTIONS
These options specify the configuration of a particular signer. To delimit
options of different signers, use --next-signer.

--next-signer         Delimits options of two different signers. There is no
                      need to use this option when only one signer is used.

--v1-signer-name      Basename for files comprising the JAR signature scheme
                      (aka v1 scheme) signature of this signer. By default,
                      KeyStore key alias or basename of key file is used.

        PER-SIGNER SIGNING KEY & CERTIFICATE OPTIONS
There are two ways to provide the signer's private key and certificate: (1) Java
KeyStore (see --ks), or (2) private key file in PKCS #8 format and certificate
file in X.509 format (see --key and --cert).

--ks                  Load private key and certificate chain from the Java
                      KeyStore initialized from the specified file. NONE means
                      no file is needed by KeyStore, which is the case for some
                      PKCS #11 KeyStores.

--ks-key-alias        Alias under which the private key and certificate are
                      stored in the KeyStore. This must be specified if the
                      KeyStore contains multiple keys.

--ks-pass             KeyStore password (see --ks). The following formats are
                      supported:
                          pass:<password> password provided inline
                          env:<name>      password provided in the named
                                          environment variable
                          file:<file>     password provided in the named
                                          file, as a single line
                          stdin           password provided on standard input,
                                          as a single line
                      A password is required to open a KeyStore.
                      By default, the tool will prompt for password via console
                      or standard input.
                      When the same file (including standard input) is used for
                      providing multiple passwords, the passwords are read from
                      the file one line at a time. Passwords are read in the
                      order in which signers are specified and, within each
                      signer, KeyStore password is read before the key password
                      is read.

--key-pass            Password with which the private key is protected. By
                      default it is assumed that KeyStore keys are protected
                      using the same password as their KeyStore (see --ks-pass).
                      The following formats are supported:
                          pass:<password> password provided inline
                          env:<name>      password provided in the named
                                          environment variable
                          file:<file>     password provided in the named
                                          file, as a single line
                          stdin           password provided on standard input,
                                          as a single line
                      By default, if the key is password-protected, the tool
                      will prompt for password via console or standard input.
                      When the same file (including standard input) is used for
                      providing multiple passwords, the passwords are read from
                      the file one line at a time. Passwords are read in the
                      order in which signers are specified and, within each
                      signer, KeyStore password is read before the key password
                      is read.

--ks-type             Type/algorithm of KeyStore to use. By default, the default
                      type is used.

--ks-provider-name    Name of the JCA Provider from which to request the
                      KeyStore implementation. By default, the highest priority
                      provider is used. See --ks-provider-class for the
                      alternative way to specify a provider.

--ks-provider-class   Fully-qualified class name of the JCA Provider from which
                      to request the KeyStore implementation. By default, the
                      provider is chosen based on --ks-provider-name.

--ks-provider-arg     Value to pass into the constructor of the JCA Provider
                      class specified by --ks-provider-class. The value is
                      passed into the constructor as java.lang.String. By
                      default, the no-arg provider's constructor is used.

--key                 Load private key from the specified file. If the key is
                      password-protected, the password will be prompted via
                      standard input unless specified otherwise using
                      --key-pass. The file must be in PKCS #8 DER format.

--cert                Load certificate chain from the specified file. The file
                      must be in X.509 PEM or DER format.


        EXAMPLES

1. Sign an APK using the one and only key in keystore release.jks:
$ apksigner sign --ks release.jks app.apk

2. Sign an APK using a private key and certificate stored as individual files:
$ apksigner sign --key release.pk8 --cert release.x509.pem app.apk

3. Sign an APK using two keys:
$ apksigner sign --ks release.jks --next-signer --ks magic.jks app.apk
