Android Signing & Packaging
Generate a keystore, understand Android's V1/V2/V3 signature schemes, and build distributable APKs with Android Studio or Gradle for release on Pgyer.
Android requires every app to be digitally signed before installation, and the signature determines whether future builds are treated as "the same app" and can upgrade installed versions. This guide covers generating a signing key, packaging an APK, and what to watch out for when distributing through Pgyer.
Debug vs. Release Signing
Android Studio automatically uses a debug signature for local builds; for external distribution you need to generate and safeguard a release keystore yourself.
| Type | Source | Use Case |
|---|---|---|
| Debug | Auto-generated at ~/.android/debug.keystore by Android Studio | Local development, on-device debugging |
| Release | Created manually via keytool, must be backed up offline | Distribution via Pgyer, publication to app stores |
Pgyer does not validate the signature type — debug-signed APKs can be uploaded too. However, if a tester installs the debug version first and then tries to install the release version, Android will reject the upgrade due to the mismatched signatures. Use a release signature from day one when distributing to testers.
Generating a Keystore
keytool, bundled with the JDK, can produce a long-lived keystore:
keytool -genkeypair -v \
-keystore my-release-key.jks \
-keyalg RSA -keysize 2048 -validity 10000 \
-alias my-alias| Parameter | Description |
|---|---|
-keystore | Output keystore file name |
-keyalg | Key algorithm; RSA recommended |
-keysize | Key length; 2048 or greater recommended |
-validity | Validity in days; 10000 (≈27 years) or more recommended |
-alias | Key alias referenced during packaging |
The command prompts for keystore and alias passwords plus organization details — store them in a password manager.
A lost keystore or password cannot be recovered. Once lost, you can no longer publish updates for the same applicationId — Android refuses to overwrite an installed app with one signed by a different key. Back up the keystore offline and keep the passwords separate from the main codebase.
Signature Schemes: V1 / V2 / V3 / V4
Android introduced four signature schemes over time. Newer schemes are backward compatible and don't replace older ones:
| Scheme | Introduced | Notes |
|---|---|---|
| V1 (JAR Signature) | Early versions | Signs files inside the APK individually; broadest compatibility |
| V2 (APK Signature Scheme v2) | Android 7.0 | Signs the whole APK; faster installs, stronger tamper resistance |
| V3 | Android 9.0 | Adds key rotation on top of V2 |
| V4 | Android 11 | Emits a separate .idsig file for incremental install |
Enabling V1 + V2 together (Android Studio's default) covers both older systems and stronger integrity checks.
Packaging with Android Studio
- Choose Build → Generate Signed Bundle / APK from the menu.
- Pick APK (not Android App Bundle — see below).
- Select an existing keystore, or click Create new and fill in alias and passwords.
- Set Build Variants to
releaseand check both V1 and V2 under Signature Versions. - The signed APK ends up in
app/release/inside the module directory.
Packaging with Gradle
Configure signing in app/build.gradle:
android {
signingConfigs {
release {
storeFile file("my-release-key.jks")
storePassword System.getenv("KEYSTORE_PASSWORD")
keyAlias "my-alias"
keyPassword System.getenv("KEY_PASSWORD")
}
}
buildTypes {
release {
signingConfig signingConfigs.release
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
}
}
}Then run:
./gradlew assembleReleaseThe output at app/build/outputs/apk/release/app-release.apk can be uploaded to Pgyer directly.
Never commit plaintext storePassword / keyPassword in build.gradle. Inject them through environment variables, ~/.gradle/gradle.properties, or your CI's encrypted credential store.
Verifying an APK's Signature
Before uploading, apksigner from the Android SDK build-tools can verify the signature:
apksigner verify --verbose app-release.apkThe output lists active signature schemes (V1/V2/V3) and certificate details. A DOES NOT VERIFY message means the APK is unsigned or the signature is broken — rebuild.
About Android App Bundle (AAB)
Android App Bundle (.aab) is Google Play's newer publishing format; Google Play generates device-specific APKs from it on demand. Pgyer currently only supports APK distribution, not AAB. In Android Studio's export dialog, pick "APK"; with Gradle, run assembleRelease rather than bundleRelease.
Common Issues
"Signature mismatch" or "conflicting app" error during install
Android does not allow apps with the same applicationId but different signatures to overwrite each other. The tester needs to uninstall the old version first. The usual cause: the tester had a debug-signed build installed before receiving a release-signed one.
The download page says "unsigned" after uploading a release APK
Run apksigner verify locally first. A DOES NOT VERIFY result usually means the wrong build type was packaged (e.g. debug exported as release) or the signing config didn't take effect.
How should a team share the keystore among multiple packagers? Store the keystore in an encrypted team vault (1Password, Bitwarden) — never in the code repository. In CI, inject the file and passwords via encrypted credentials (GitHub Actions Secret, Jenkins Credentials, etc.) to keep them out of build logs.
Troubleshooting iOS Install Failures
Common symptoms and remedies for iOS install failures — signing errors, enterprise certificate trust, Developer Mode, iOS version, storage, date/time, network, and profile conflicts.
App Management Dashboard
A quick tour of the modules in Pgyer's app management dashboard so you can find versions, stats, and settings fast.