apksigcopier - copy/extract/patch android apk signatures & compare apks
Contents
Commands
copy
Copy (extract & patch) signatures from signed to unsigned APK.
extract
Extract APK signatures from signed APK.
patch
Patch extracted APK signatures onto unsigned APK.
compare
Compare two APKs by copying the signature from the first to a copy of the second and checking if the re‐
sulting APK verifies.
This command requires apksigner(1).
NB: copying from an APK v1-signed with signflinger to an APK signed with apksigner works, whereas the re‐
verse fails; see the FAQ in the README.
Copyright
Copyright © 2023 FC Stegerman. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licens‐
es/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY,
to the extent permitted by law.
Description
A command line tool for copying android APK signatures from a signed APK to an unsigned one (in order to
verify reproducible builds). It can also be used to compare two APKs with different signatures.
Environment Variables
The following environment variables can be set to 1, yes, or true to override the default behaviour.
APKSIGCOPIER_EXCLUDE_ALL_META
Exclude all metadata files, not just MANIFEST.MF.
APKSIGCOPIER_COPY_EXTRA_BYTES
Copy extra bytes after data (e.g. an existing v2 signature).
APKSIGCOPIER_SKIP_REALIGNMENT
Skip realignment of ZIP entries.
Examples
extract
$ mkdir meta
$ apksigcopier extract signed.apk meta
$ ls -1 meta
8BEA2A77.RSA
8BEA2A77.SF
APKSigningBlock
APKSigningBlockOffset
MANIFEST.MF
patch
$ apksigcopier patch meta unsigned.apk out.apk
copy
$ apksigcopier copy signed.apk unsigned.apk out.apk
compare
$ apksigcopier compare foo-from-fdroid.apk foo-built-locally.apk
$ apksigcopier compare foo.apk --unsigned foo-unsigned.apk
Name
apksigcopier - copy/extract/patch android apk signatures & compare apks
Options
copy/extract/patch
--v1-only [no|auto|yes]
Whether to expect only a v1 signature: no means a v2 signature is expected as well, auto means the pres‐
ence of a v2 signature is detected automatically, and yes means a v2 signature is not expected (and ig‐
nored if it does exist). Default: no.
You can also set the environment variable APKSIGCOPIER_V1_ONLY instead.
compare
--unsigned
Accept unsigned second_apk.
--min-sdk-version
Passed to apksigner(1) when verifying.
--verify-cmd
Command (with arguments) used to verify APKs. Default: apksignerverify.
See Also
apksigner(1)
Synopsis
apksigcopier copy [options] signed_apkunsigned_apkoutput_apkapksigcopier extract [options] signed_apkoutput_dirapksigcopier patch [options] metadata_dirunsigned_apkoutput_apkapksigcopier compare [options] first_apksecond_apkapksigcopier --version
apksigcopier --help
apksigcopier [command] --help
