From Cordova export to signed APK with Cordova CLI on Windows 10

  • 7 favourites



11,956 visits, 22,242 views


This tutorial hasn't been translated.



This tutorial is licensed under CC BY 4.0. Please refer to the license text if you wish to reuse, share or remix the content contained within this tutorial.

Signing your release APK

First we have to build a release APK

Open Windows PowerShell (command promt) and go to the root folder of of your project export and type:

    cordova build –release android

APK should be in projectfolder\platforms\android\app\build\outputs\apk\release. When building with crosswalk the APK's are there platform specific folders.

What is a keystore

A keystore file is a file that contains the key(s) to sign your app(s). One keystore file can contain different key’s for different app’s. This key’s are unique. Updates need to have the same key as the apk in the playstore. So if you lose your keys, you can not update your apps.

You can sign all your apps with the same key. But I would advice to use a different keys for each app. All your keys can be stored in the same keystore file.

For generating the keystore we gone use the JAVA command 'keytool'.

You can generate the keystore file anywere on your computer (aka. In your JAVA\Bin folder), and copy it around later. Or just add an absolute path to it in the command. But since I added java to the path, I did it in the folder the release APK is in. This makes the following steps easier.

Brief overview parameters needed:

-genkey : or -genkeypair. generate a key pair

-v : verbose output

-keystore MyKeyStore.keystore : store in keystore with given name

-alias AliasOfYourApp : alias of the app you wanna sign e.g. myapp

-keyalg RSA : Algorithm name

-keysize 2048 : Size of the key

-validity : Number of days the key is valid. Must be valid for the whole lifespan of your app. Or ar least as long as you wanna be able to update.

The keytool will ask the following questions:

1. Enter keystore password: Strong Password to protect the keystore file

2. What is your first and last name?:

3. What is the name of your organizational unit?

4. What is the name of your organization?

5. What is the name of your City or Locality?

6. What is the name of your State or Province?

7. What is the two-letter country code for this unit?

8. Enter key password for <Your_App_Name>: Strong Password to protect the key

I answered question 2 and 4 with the same values as i gave in the playstore. Is that necessary or not?

I found it a good idea to write down the answers of the questions before generating the keystore.

Generating a keystore

Open the command promt (and go to projectfolder\platforms\android\app\build\outputs\apk\release) and type:

    keytool -genkey -v -keystore MyKeyStore.keystore -alias AliasOfYourApp -keyalg RSA -keysize 2048 -validity 10000

On succes you will have a file called MyKeyStore.keystore in the folder you performed the command. Be careful with it. You need it every time you wanna update your app.

Adding a key for another app goes the same way. With a different alias off course.

If you wanna check which app alias - key combinations are in the keystore:

    keytool -list -v -keystore MyKeyStore.keystore

Signing your APK

Make sure your release.APK and keystore file are in the same folder. Open the command promt and go to that folder. Jarsigner will ask for your keystore and app-key password.

MyKeyStore.keystore is your keystore file as you named it with the keytool

app-release-unsigned.apk is your apk as cordova named it

AliasOfYourApp is the Alias you used with the keytool

    jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore MyKeyStore.keystore app-release-unsigned.apk AliasOfYourApp

On succes you will have a signed apk, that is still called app.release-unsigned.apk, do not rename it.

The keystore file and unsigned apk file can be in different folders, but then you have to include the paths to them in the command.

As given, the jarsigner command gives a warning:

No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2045-08-19) or after any future revocation date.

Why? We signed the APK at a certain date. The jarsigner looks at the PC date and uses that. But that is not a proven date. But with a validity of 10.000 day’s after creating your key, I feel this is not going to be a problem. You seem to get rid of this warning by adding -tsa to the command. Where the URL is an example of a proven source for a timestamp. For more information see:

Aligning apk name with new status

If you added the folder with the android\sdk\build-tools to your path as suggested above you can keep your command promt open and type:

    zipalign -v 4 app-release-unsigned.apk MyAppName.apk 

On succes you have 2 APK’s: app-release-unsigned.apk and MyAppName.apk. The last one is the one you can upload to the playstore.

When you build for crosswalk, and you got 5 APK's you have to sign every APK you wanna upload to the playstore with the same keys.


  • Order by
Want to leave a comment? Login or Register an account!
  • 你好 我好久没有更新C2了。近期发现更新到r261 以上的版本。 CORDOVA CLI build 出来的android APP 无法在手机里面打开。黑屏无法启动APP. 能帮帮我么?

    R261无法BUILD API 28

    你好 我好久没有更新C2了。近期发现更新到r261 以上的版本。 CORDOVA CLI build 出来的android APP 无法在手机里面打开。黑屏无法启动APP. 能帮帮我么?

    R261无法BUILD API 28

    Hello, I haven't updated C2 for a long time. Recent updates have been found to be more than r261. Android APP built by CORDOVA CLI cannot be opened in the phone. Black screen can't start APP. Can you help me?

    R261 cannot BUILD API 28