Why do I get "no manifest." and "jar is unsigned." when doing "jarsigner -verify -verbose -certs" for my APK

Question

I have one of my Android projects producing unsigned APKs. I'm using below provided configuration and then verifying produced APKs. I'm sure Gradle is using my provided keystore file because I tried changing the path and password and the build was failing.

APKs are not signed after all

jarsigner -verify -verbose -certs /Users/viliuskraujutis/.../path-to-newly-created.apk

The output is this:

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

no manifest.

jar is unsigned.

Signing from build.gradle

For the context I'm signing like this:

android {
...
    signingConfigs {
        release {
            storeFile file("my-key-used-in-other-successful-project.keystore")
            storePassword "my-password-used-in-other-successful-project"
            keyAlias "my-alias-used-in-other-successful-project"
            keyPassword "my-password-used-in-other-successful-project"
        }
    }

score 2 · Accepted Answer · answered Sep 11 '22 at 22:13

2

You likely have a minSdkVersion of 24 or higher. If that's the case then AGP uses a more efficient signing scheme called "V2 signing" and because all Android devices on 24+ support this scheme, it is no longer needed to sign with "v1 scheme" (i.e.jar signing). V2 scheme is completely independent of jar signing, that's why jarsigner thinks the APK is unsigned. If you use apksigner (provided in Android tools), then you can check that your APK is in fact correctly signed.

answered Sep 11 '22 at 22:13

Pierre

15,865
4
36
50

This was a very good and useful answer. – ViliusK Sep 13 '22 at 04:47
Thank you @Pierre. I have accepted your answer and added additional notes how it was fixed see here: https://stackoverflow.com/a/73697682/517381 – ViliusK Sep 13 '22 at 04:58

score 0 · Answer 2 · answered Sep 13 '22 at 04:54

The problem was as @Pierre posted yesterday - the minSdk version was 30, and since it's >23 - it uses v2/v3 signing scheme by default.

For maximum compatibility, we decided to use multiple signing schemes as per android.com recommendation.

And the fix for the app/build.gradle was that simple - we have set v1SigningEnabled and v2SigningEnabled to true. Like this:

    signingConfigs {
        release {
            storeFile file('...')
            storePassword '...'
            keyAlias '...'
            keyPassword '...'
            v1SigningEnabled true
            v2SigningEnabled true
        }
    }

Why do I get "no manifest." and "jar is unsigned." when doing "jarsigner -verify -verbose -certs" for my APK

APKs are not signed after all

Signing from build.gradle

2 Answers2