Code sign for Android

In this article, you'll learn about how to code sign for Android (APK). You need to sign your app for Android if you selected Android as one of the platforms while creating and building your wrap project.


If you'd like to sign an AAB app for Google Play distribution instead, refer to Sign your app.

Prepare your PC

You need the following information to get started:

Generate keys


Skip to sign the APK package if you've already generated keys and signature hash while creating the app registration.

We'll use keytool.exe (available after installing Android Studio, from the folder location "Drive:\Program Files\Android\Android Studio\jre\bin\keytool.exe") to create a certificate to sign the application package. Keytool is used to manage a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates.

To generate a key, open a command prompt and run the following command:

keytool -genkey -alias SIGNATURE_ALIAS -keyalg RSA -keystore PATH_TO_KEYSTORE -keysize 2048 -validity 10000


  • genkey - command to generate a key.
  • alias - indicates the alias to be used in the future to refer to the keystore entry containing the keys that are generated.
  • keyalg - key algorithm name.
  • keystore - the name of the keystore you're using.
  • keysize - the size of each key to be generated.
  • validity - validity of the key in number of days.


  • If preparing Keyvault, PATH_TO_KEYSTORE should have .pfx extension.

    keytool -genkey -alias powerappswrap -keyalg RSA -keystore powerappswrap.pfx -keysize 2048 -validity 10000

  • If preparing for manual signing, PATH_TO_KEYSTORE should have .jks extension.

    keytool -genkey -alias powerappswrap -keyalg RSA -keystore powerappswrap.jks -keysize 2048 -validity 10000

A screenshot with keytool command using the parameters in the above example.

Generate signature hash


Skip to sign the APK package if you've already generated keys and signature hash while creating the app registration.

After generating the key, the exportcert command is used in keytool to export the keystore certificate.

keytool -exportcert -alias SIGNATURE_ALIAS -keystore PATH_TO_KEYSTORE | openssl sha1 -binary | openssl base64


  • exportcert - reads from the keystore the certificate associated with alias and stores it in the cert_file file. When no file is specified, the certificate is output to stdout.
  • alias - the alias used while generating keys earlier.
  • keystore - the name of the keystore you're using.
  • openssl - generates SHA1 key for Android.

Add the generated signature hash in the Redirect URI while registering the app.

Convert SHA1 hex to Base64-encoded signature hash manually

You might see the following error if your signature hash isn't correctly encoded or unacceptable in the Azure portal:

"The signature hash must be base64-encoded SHA1."

When this error appears, try to generate the signature hash using the following steps instead:

  1. Run keytool -list -v -alias SIGNATURE_ALIAS -keystore PATH_TO_KEYSTORE to list the certificate information in verbose mode.
  2. Copy the SHA1 value under the Certificate fingerprints section from the output. Ensure that you only copy the hexadecimal value.
    For example: EF:11:45:3D:F1:72:D9:8C:43:32:CD:0A:49:C2:E4:75:2D:B3:2D:9F
  3. Use any available "Hexadecimal to Base64" converter to convert the copied certificate fingerprint hexadecimal value into Base64 encoded value.
    Example of the Base64 encoded value: 8CPPeLaz9etdqQyaQubcqsy2Tw=
  4. Copy the generated Base64 encoded value as the Signature hash in the Azure portal while registering the app.

Sign the APK package

To sign the APK package, we'll use the apksigner tool. This tool allows you to sign APKs and ensure that the APK package signature are verified successfully on all Android platforms supported by the APKs.

Find your apksigner

  1. Check the Android SDK path in the Android Studio.

  2. Select Tool > SDK Manager > Android SDK Location.

    If using iOS, check the apksigner file from the buildTools Version directory:

    Go to SDK directory > build-tools > buildToolsVersion > lib, and check the apksigner.jar file

Use the apksigner file

Run the following command to use the apksigner and sign the package:

apksigner.bat sign --ks PATH_TO_KEYSTORE --ks-key-alias KEY_ALIAS PATH_TO_APK


  • ks - path to the keystore.
  • ks-key-alias - key alias path to APK file.

When prompted, enter the password.

More information: Android Studio command line tools: apksigner

Distribute the app

You can host the package on a distribution service such as App Center. To distribute using Microsoft Intune, see Add an Android line-of-business app to Microsoft Intune. To learn about giving an app access to the Intune app protection service, see Give your app access to the Intune app protection service.

See also