How to Use APK Signature Scheme v3 in Android?

APK Signature Scheme v3.1, an upgrade to the previous APK Signature Scheme v3, is now supported by Android 13. Some of the rotation-related known problems with APK Signature Technique v3 are addressed by this scheme. Applications can accept both original and rotated signers in a single APK thanks to the v3.1 signature mechanism. The v3.1 signature system additionally supports SDK version targeting, enabling rotation to a subsequent platform release. The block ID used by the v3.1 signature technique is not supported on 12L or lower. The platform, therefore, enforces the following signer behavior:

There is no need to take any further action for apps whose signing key hasn’t yet been rotated. When these apps decide to rotate, the system automatically uses the v3.1 signature scheme:

• The rotating signer in the v3.1 block is used by devices running Android 13 or higher.
• Older Android-powered devices use the original signer from the v3.0 block and ignore the rotated signer.

Apps that have already rotated must update their apksigner invocation in order to continue using their rotated signing key in the v3.0 signing block:

apksigner sign --ks gfgSampleKeystore.jks |
 --key key.pk8 --cert cert.x509.pem
 --rotation-min-sdk-version API_LEVEL
 [the_signing_options go here] gfgSampleApp.apk

Support for tablets and big screens

With improvements to the system UI, multitasking, and compatibility modes, Android 13 builds on the tablet optimizations made in Android 12 and the 12L feature drop. Make sure your apps display optimally on tablets and other devices with large screens as part of your testing.

Improved error reporting in KeyMint and KeyStore

Keystore and KeyMint now offer more thorough and precise error flags for apps that produce keys. Under java.security, we’ve built an exception class hierarchy. ProviderException, Keystore/KeyMint error codes, and whether the problem is retryable are all Android-specific exceptions. Additionally, you can change how keys are created and used (for signing and encryption) to throw the new exceptions. It should now be possible for you to retry key generation because the improved error reporting is not just for key generation.

Exception giving details about the failure while creating or using a key at the Keystore / KeyMint layer. The public error codes identify the error’s root cause, the methods identify any system or key-related problems, and the likelihood that re-running the operation (with the same key or a different key) will be successfully all indicated.

With Java 11 language support and library changes, Android 13 begins the process of updating Android’s core libraries to be in line with the OpenJDK 11 LTS release. A Google Play system update to the ART Mainline Module will make the Android 13 core library modifications accessible to Android 12 devices as well.

Newly added String class methods:

1. isBlank()
2. lines()
3. repeat()
4. strip()
5. stripLeading()
6. stripTrailing()

GeekTip: Attention: If you use apksigner to sign your APK and then modify the APK, the APK’s signature will no longer be valid. Use zip align to align your APK before signing it if you plan to do so.

An APK is typically signed by a single signer. Use the —next-signer option to split the general parameters to apply to each signer when you need to sign an APK with more than one signer.

APKsigner uses the lowest possible Android framework API level to guarantee that the APK’s signature will be validated. Higher values limit the APK’s availability to devices running more recent versions of Android but allow the tool to utilize higher security criteria when signing the program

Image #1: Understanding the newer V3 Scheme in Android 13.

Conclusion

In many ways, key rotation is a great tool for developers. To begin with, this can be helpful for developers working in teams on a single project so they don’t have to disclose their signing keys to the team. All apps presently need to be compiled by the same developer or a group of developers using the same key, which reduces safety (there are higher risks of the key being stolen) and slows down development because each app requires the same exact signature for upgrading.