Skip to main content

App Signing Certificate

Native library protects JNI interface and allows calling of Native methods through SDK only from known applications by checking APK signing certificate if it matches the one embedded in Native library. Native library contains different embedded certificate for every client. APK signing certificate (META-INF/CERT.RSA, without trailing signature) is embedded inside of Native library during compilation of Native code.

If Google Play App Signing is used, APK signing certificate is located here: META-INF/GOOGLEPLAY.RSA (or GOOGPLAY.RSA or other *.RSA).


Google Play Signing Key Upgrade

Provide 2 signing certificates (new and legacy) if during your app lifetime on Google Play, you upgraded your app signing key for new installs. Your new key is used to sign new installs and app updates. Your legacy app signing key is still used to sign updates for users who installed your app before the key upgrade.

See Google Play App Signing.

Signing APK and Exporting Signing Certificate

1. Build an unsigned APK.

$ gradle assembleRelease

2. Align the unsigned APK using zipalign.

$ zipalign -v -p 4 app-unsigned.apk app-unsigned-aligned.apk

3. Sign the APK with private key using apksigner.

$ apksigner sign --ks <KEYSTORE.jks> --ks-key-alias <ALIAS> --out app-release.apk app-unsigned-aligned.apk

Ensure that your application is signed by v1 scheme as well. Depending on the target and min Android version, the v1 signature might be omitted by default. See the documentation for more info.


$ cp app-release.apk
$ unzip -d app-release
$ cp app-release/META-INF/<NAME>.RSA ./<NAME>.RSA