Skip to main content
This guide assumes your Product Admin has already created a Signer and assigned you to it. If the signer has an approval policy, you’ll also need active access before signing.
Sign Android APK and Android App Bundle (AAB) files using apksigner with the Infisical PKCS#11 module. Since apksigner is a Java-based tool, it uses the same SunPKCS11 provider approach as jarsigner.

Prerequisites

Step 1: Set Up Authentication

Configure the Infisical PKCS#11 module with your machine identity credentials. Without this, the signing commands below fail with an auth error. Create /etc/infisical/pkcs11.conf (or set INFISICAL_CONFIG to point elsewhere):
You can also pass the credentials via environment variables:
Environment variables override values from the config file.
For the full set of options, see the PKCS#11 module configuration reference.

Step 2: Create the SunPKCS11 Provider Configuration

Create a configuration file for Java’s SunPKCS11 provider. Save it as infisical-pkcs11.cfg:
On macOS, use .dylib. On Windows, use .dll. If you have multiple signers and need a specific one, add slot = 0 (replace with the correct slot index).

Step 3: Sign an APK

Use apksigner with the PKCS#11 provider:
  • --ks NONE: Required when using PKCS#11 (no file-based keystore).
  • --ks-type PKCS11: Tells apksigner to use the PKCS#11 provider.
  • --ks-key-alias: The signer name (token label in PKCS#11).
  • --out: Writes the signed APK to a new file. Without this flag, apksigner modifies the APK in place.
When prompted for a keystore password, press Enter (the module authenticates using the credentials from your environment variables or config file).

Signing an Android App Bundle (AAB)

For AAB files, use jarsigner instead of apksigner since AAB signing follows the JAR signing format:

Step 4: Verify the Signature

Verify the signed APK. If you signed in place (without --out), verify the same file. If you used --out, verify the output file:
The output confirms the APK signature is valid:

CI/CD Integration

Example for a Gradle-based Android project in CI:

Troubleshooting

For any issue, enable debug logging in your config file ("log_level": "debug", "log_file": "/tmp/infisical-pkcs11.log") to get detailed output.
Ensure the --provider-class is sun.security.pkcs11.SunPKCS11, the --provider-arg points to a valid config file, and the --ks-key-alias matches your signer name exactly.
Use apksigner (not jarsigner) for APK signing. Only apksigner applies v2/v3 APK signature schemes.

What’s Next?

Sign JARs

Sign Java artifacts with jarsigner

Sign Windows Binaries

Sign Windows executables with osslsigncode