For publishing on the Google Play Store or distributing a production app, you must use your own keystore.
For most standard use cases, Android’s own apksigner (via the Android SDK Build Tools) is more secure, officially supported, and does not require an untrusted download. Example usage:
apksigner sign --ks my.keystore --out signed.apk unsigned.apk
Open your browser and navigate to: https://github.com/patrickfav/uber-apk-signer download uber-apk-signer.jar
This repository is maintained by Patrick Favre-Bulle, a well-known security engineer. It is actively updated and trusted by the community.
Q1: Is uber-apk-signer.jar free?
Yes, it is open-source under the Apache License 2.0. For publishing on the Google Play Store or
Q2: Can I sign an already signed APK?
Yes, but the original signature will be replaced. You cannot "add" a second signature like with some other tools.
Q3: Does it work on Android devices (via Termux)?
Yes, as long as you have Java installed for Termux (e.g., openjdk-17), you can run the JAR directly on your phone. Open your browser and navigate to:
https://github
Q4: What is the difference between uber-apk-signer and apksigner from Android SDK?
apksigner is more "official" but slower and harder to script. uber-apk-signer is faster, standalone, and offers better batch processing.
Q5: How do I create a new keystore if I don’t have one?
You can let uber-apk-signer generate a debug keystore automatically. For a production keystore, use:
keytool -genkey -v -keystore my-release-key.jks -alias myalias -keyalg RSA -keysize 2048 -validity 10000
To check if an APK is already signed and aligned correctly:
java -jar uber-apk-signer.jar --verify --verbose --apks /path/to/app.apk