By Anton


2010-07-16 16:58:56 8 Comments

If I have an apk can I remove the current signing and some how re-sign it with a different .keystore file and still have the application install?

Update: I managed to get it to work with Jorgesys' solution and where I messed up before was that I unzipped the .apk then rezipped it after removing the META-INF folder and changed the file extension back into .apk. What I should have done is simply opened it with winzip and delete the folder inside of winzip.

7 comments

@Fatih 2013-04-22 11:31:22

If you are looking for a quick solution, you may use open-source apk-resigner script or Google's apksigner tool

   ./signapk.sh application.apk keystore key-pass alias
  • Alternatively, even more simple solution, you can use Google's apksigner command line tool which is available in revision 24.0.3 and higher.
apksigner sign --ks release.jks application.apk

You can find more information about apksigner tool, at the developer Android site.

https://developer.android.com/studio/command-line/apksigner.html

@dac2009 2016-09-08 11:29:31

The signapk.sh script to download is no longer available.

@Fatih 2016-09-09 12:34:58

@dac2009 thanks for the comment, I have updated the link.

@patrickf 2016-11-18 15:35:11

fyi Google's new apksigner has the capability to resign out of the box developer.android.com/studio/command-line/apksigner.html

@patrickf 2016-11-18 15:31:40

Note if you use v2 signing schema (which you will automatically if you use build-tools 24.0.3+ in AS) you cannot just remove the META-INF folder from the APK since v2 adds its signing data to a zip meta block.

Google's new apksigner introduced in build-tools 24.03 (Android 7) is however able to resign APKs. You can just repeat the signing command to sign with a new keystore/cert (the old ones will be removed).

apksigner sign --ks keystore.jks signed_app.apk

Shameless plug: if you want a easier tool that can sign multiple apks and has better log output use: https://github.com/patrickfav/uber-apk-signer (uses Google's apksigner.jar in the background)

@Phil Calvin 2016-10-13 13:27:39

Assuming your keys are stored in keys.keystore, you can run:

$ keytool -list -keystore keys.keystore
Your keystore contains 1 entry

your_key_alias, Jan 3, 2013, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 8C:C3:6A:DC:7E:B6:12:F1:4C:D5:EE:F1:AE:17:FB:90:89:73:50:53

to determine the alias of your key. Then run:

zip -d your_app.apk "META-INF/*"
jarsigner -verbose -keystore keys.keystore \
   -sigalg MD5withRSA -digestalg SHA1 -sigfile CERT \
   your_app.apk your_key_alias

to re-sign your_app.apk with the key named your_key_alias.

The extra -sigfile CERT option seems to be necessary as of JDK 8.

@kreker 2016-01-17 21:05:19

zip -d my_application.apk META-INF/\*
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name
zipalign -v 4 your_project_name-unaligned.apk your_project_name.apk

@Jorgesys 2010-07-16 17:27:30

try this

1) Change the extension of your .apk to .zip

2) Open and remove the folder META-INF

3) Change the extension to .apk

4) Use the jarsigner and zipalign with your new keystore.

hope it helps

@Anton 2010-07-16 19:01:27

I gave that a go, but when I try to install the app it throws a parse exception.

@Jorgesys 2010-07-16 19:55:49

hi Anton post your stacktrace

@Anton 2010-07-16 20:23:55

i posted the result in my question

@Christopher Orr 2010-07-16 20:33:03

Sounds like you deleted AndroidManifest.xml from the root of the APK file, rather than only the META-INF.

@Jorgesys 2010-07-16 20:43:19

hehe =) java.io.FileNotFoundException: AndroidManifest.xml

@Anton 2010-07-17 00:35:36

Nope I didn't. I did exactly those 4 steps.

@Falmarri 2010-07-17 06:15:23

Well I don't really have experience with what you're doing, but the /data directory has permissions 770, so you can't even list the contents of the /data directory.

@Fatih 2014-01-03 10:43:40

if you want a quick solution just check out my answer stackoverflow.com/a/16146126/700869

@pevik 2014-07-02 06:18:19

This is what does vendor script sign_target_files_apks (well, it works with zip archive of target files).

@kreker 2016-01-17 20:59:34

1-3 steps is just = zip -d foo.apk META-INF/*

@mohammad 2016-07-04 12:08:13

@Elenasys thanks for your solotion . its work But i have a problem : I want change manifest from apk file and use itself meta-info folder , i need to re-sign an .apk with a different apk certificate , for example sign my app with facebook certification . is it possible ?

@patrickf 2016-11-18 15:34:05

This will not work with apks signed with the new v2 signing schema source.android.com/security/apksigning/v2.html

@Led 2017-10-11 11:17:11

How the heck do you do number 3

@patrickf 2018-02-03 08:04:44

NOTE: This wont't work with APK signing schema v2 (~2017)

@gilm 2013-06-11 11:07:58

All the solutions above work. Just a note why it didn't work for you when you re-zipped:

Some of the files inside the .apk need to remain stored (compression at 0%). This is because Android will use memory mapping (mmap) to read the contents without unpacking into memory. Such files are .ogg and some of the icons.

@Kefik 2014-09-15 13:20:29

Just experienced this ... if you rezip APK completely, it will lead to inexplicably weird behavior. APK can be installed, APP may/may not start up, but will freeze eventually when it hits mmap code that is zipped.

@Harsha.Vaswani 2013-04-08 08:59:44

Signing for release: $1.apk -> $1_release.apk" GeneralMills&GoogleApps#2012 Step 1: Removing any previous signing Change the extension of your .apk to .zip Open and delete the folder META-INF Change the extension to .apk Or Command: • zip [originalapk] Example: • zip "$1".apk -d

Step 2: Signing with release.keystore.. Command: • jarsigner –verbose –keystore [keystorefile] –signedjar [unalignedapk] [originalapk] alias_name Example: • C:\Program Files\Java\jdk1.6.0_43\bin> jarsigner -verbose -keystore release.keystore -signedjar "$1"_unaligned.apk "$1".apk release

Step 3: Aligning Command: • zipalign -f 4 [unalignedapk] [releaseapk] Example: • C:\Users\G535940\Downloads\adt-bundle-windows-x86\adt-bundle-windows-x86\sdk\too ls>zipalign -f 4 "$1"_unaligned.apk "$1"_release.apk

Step 4: Cleaning up Command: • rm 4 [unalignedapk] Example: • rm "$1"_unaligned.apk

Additional Commands might help:

  1. To generate new key with keytool keytool -genkey -alias -keystore

  2. To list keys keytool -list -keystore

Command to generate a keyhash for the Facebook features

Command: • keytool -exportcert -alias alias_name -keystore [keystorefile] | openssl sha1 -binary | openssl base64

Example: • C:\Program Files\Java\jdk1.6.0_43\bin>keytool -exportcert -alias release -keyst ore release.keystore |opens l sha1 -binary | openssl base64

Note: To sign our apks we have downgraded JDK from 1.7 to 1.6.0_43 update.

Reason: As of JDK 7, the default signing algorithim has changed, requiring you to specify the signature and digest algorithims (-sigalg and -digestalg) when you sign an APK.

Command: jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore [keystorefile] [originalapk] alias_name

Related Questions

Sponsored Content

33 Answered Questions

27 Answered Questions

[SOLVED] How to create a release signed apk file using Gradle?

33 Answered Questions

[SOLVED] How to avoid reverse engineering of an APK file?

3 Answered Questions

[SOLVED] Why is fingerprint different in my newly signed apk?

20 Answered Questions

[SOLVED] What is the difference between gravity and layout_gravity in Android?

16 Answered Questions

[SOLVED] What is the difference between match_parent and fill_parent?

1 Answered Questions

[SOLVED] What is the purpose of HACKED-META-INF folder in Android app APK

2 Answered Questions

0 Answered Questions

Error when trying to sign a .apk file

0 Answered Questions

Signing a Debugged APK

Sponsored Content