Page tree
Skip to end of metadata
Go to start of metadata

Administrators can download a signing package to sign native apps outside of the Admin Portal. For iOS and Android apps, using the signing package is an alternative to signing with the Portal. However, iOS apps with watchOS components must be signed with the signing package.

For more information about what signing is and why you need to do it, see About Signing


When you re-sign an app that was already installed on any of your users' devices, it is important that you sign it with the same signing credentials used to previously sign it.

Signing Package & App Policies

If you download the signing package for an app that has policies applied to it, App Management retains those policy settings when you sign the app; you do not need to reapply the policies after you upload the signed app. In fact, you should not reapply policies to the app. If you do, the app will no longer function properly. If you need to modify an app's policies or apply new policies, you must first upload the original version of the app.

Signing Hybrid Apps

If the iOS or Android application was created when you added a hybrid app to App Management, you cannot edit the application to upload the signed version. Instead, you will need to add a new iOS or Android application and upload the IPA or APK that you signed using the signing package.

Note that when you add an app as a new iOS or Android application, it will not retain policies that you applied to the app before downloading the signing package. Therefore, if you apply policies to a hybrid app, you should sign it with the Admin Portal.

Download the Signing Package

Before you can sign an app with the signing package, you must download it.

To download the signing package for an app
  1. On the Admin Portal nav bar, click Applications
  2. Find the app you want to sign.
  3. Click Sign under the app's name. The app's Details page opens to the Signing tab.
  4. Click Download Signing Package at the bottom of the page.
  5. In the dialog box that opens, click Save File and save the signing package ZIP file to your computer. 
  6. Unzip the ZIP file into a directory. The rest of this page refers to that directory as the "working directory." 

The signing package includes the app binary file and a README with a brief version of the instructions on this page. Depending on the app type, the package may also include a signing script and some other files.

 Click here for a description of the signing package contents based on app type...
App TypeContent of the Signing Package

.ipa file

App binary.

Signing script.


A manifest file included in the signing package only if the app includes app extensions.

If your app includes extensions, you may need to modify this file, as described in the Sign an iOS App procedure below.

README file-

Instructions for using the signing script.

.apk file

App binary.


Instructions for using the Jarsigner utility provided with the Android SDK.

Sign an iOS App

Before You Begin

Check that you have met all of the requirements in Signing Prerequisites.

In the procedure below, you will need to copy the required provisioning profiles to the working directory where you unzipped the signing package. If your app does not contain extensions, you need only one distribution provisioning profile. If your app contains extensions or watchOS components, you may need multiple distribution profiles. For more information, see App Extensions and Entitlements.

For instructions on creating a distribution certificate and distribution provisioning profiles, as well as information on the difference between wildcard and explicit provisioning profiles, see iOS Signing Requirements

Sign the iOS App

To sign an iOS app using the signing package
  1. Copy one or more distribution provisioning profiles to the working directory. If the app has extensions, be sure to copy all the profiles needed to sign the app.  
  2. Open a Terminal and change to the working directory.
  3. If your app contains extensions and you are signing with distribution provisioning profiles that have bundle IDs that don't match the bundle IDs for the app and its extensions, then continue with this step. Otherwise, continue with step 4. 

    When App Management creates the iOS signing package, it determines how many parts of your app need to be signed and lists these parts in the signables_manifest.txt file. If the App IDs in your distribution provisioning profiles do not match the bundle IDs for the app and its extensions, then you need to edit the signables_manifest.txt file to identify which profile should be used to sign each part of the app. 

     Click here for instructions on editing the manifest file...

    Edit each entry in the file to provide the filename for the distribution provisioning profile that signApp should use when signing that part of the app.

    The following example shows the signables_manifest.txt file, before and after it is edited, for an app that includes several app extensions.

  4. Type the following command to execute the signing script. The command is case-sensitive; be sure to type a capital A in the script name.

  5. Check for errors. If there are errors, refer to Troubleshooting below. If the script completes without errors, you a new version of the appname.ipa file exists in your directory. This is your newly signed app. 
  6. Upload the newly signed app to App Management. For instructions, see Edit or Update an Application.
  7. Enable the app if you are ready to make it available to your users. For instructions, see Disable or Enable an Application.


If the signApp script returns an error, check for the following issues:

  • The distribution certificate and private key are not installed properly in your Login Keychain. Use Keychain Access to verify that both the certificate and private key are listed in your Login Keychain. 
  • The app contains extensions and you are signing the app with multiple distribution provisioning profiles, but you edited the signables_manifest.txt file incorrectly or did not edit it at all. See step 3 in the procedure above. 
  • You have more than one distribution certificate with the same name in your Keychain. The certificate name that you specify when you execute the script must be unique across all Keychains. For example, you cannot have a certificate with the same name in both the Login and System Keychains. If you have the certificate in more than one Keychain, you should delete it from all Keychains other than the Login Keychain, but first you should make sure that there are no other apps using the certificate in the other Keychain.

Back to Top

Sign an Android App

Before You Begin

Check that you have met all of the requirements in Signing Prerequisites.

Check that the Java Development Kit (JDK) and Android Developer Tools (ADT) are installed. If you need to install these tools, you can download them from the following links:


This procedure is based on the most recent version of Google's tools and processes.

Sign the Android App

If you are performing this procedure after applying policies to an application, begin with step 3.

To sign an Android app using the signing package
  1. Open a Terminal and change to the working directory that contains the APK file.  
  2. Type the following command to remove any signature that may already be in the APK file. Text in blue indicates variables that you must replace. 

    zip appname.apk -d "META-INF/*"


    appname.apkThe name of the APK file you are signing.


  3. Type the following command to sign the app file using the certificate/private key pair in your Java keystore. The -verbose argument enables verbose output. Note that you will be prompted to provide the keystore and key passphrases that you defined when you created the keystore.
    jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore filename.keystore appname.apk aliasname


    filename.keystoreThe name of the keystore.
    appname.apkThe name of the APK file you are signing.
    aliasnameThe alias of the certificate/key pair in the keystore.


    In this example, the jarsigner tool signs the Actions app.

    $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore exampleco.keystore Actions.apk exampleco

    Enter Passphrase for keystore:
       adding: META-INF/EXAMPLEC.SF
       adding: META-INF/EXAMPLEC.RSA
       signing: res/layout/main.xml
       signing: res/layout/tada.xml
       signing: AndroidManifest.xml
       signing: resources.arsc
       signing: res/drawable-hdpi/appicon.png
       signing: res/drawable-ldpi/appicon.png
       signing: res/drawable-mdpi/appicon.png
       signing: classes.dex
       signing: lib/armeabi/
       signing: lib/armeabi/
       signing: lib/x86/
       signing: lib/x86/
       signing: assets/mocana-map/lockout-email-body.txt
       signing: assets/mocana-map/lockout-message.txt
       signing: assets/mocana-map/keystore_recovery.pem

  4. Type the following command to verify that the APK is signed. 
     jarsigner -verify appname.apk
    If it is signed properly, Jarsigner responds with jar verified.

    $ jarsigner -verify Actions.apk
    jar verified.


  5. Type the following command to ensure that all uncompressed data starts with a 4-byte alignment; this alignment optimizes performance when the app is installed on a device. Text in blue indicates variables that you must replace.
    zipalign -v 4 signed&unaligned.apk signed&aligned.apk


    signed&unaligned.apkThe name of the signed APK file (the result of running the Jarsigner command).
    signed&aligned.apkThe name of the APK file after it is aligned.


    $ zipalign -v 4 Actions.apk ActionsAligned.apk

    Verifying alignment of ActionsAligned.apk (4)...
      50 META-INF/MANIFEST.MF (OK - compressed)
      673 META-INF/EXAMPLEC.SF (OK - compressed)
      1431 META-INF/EXAMPLEC.RSA (OK - compressed)
      2560 META-INF/MOCANADE.SF (OK - compressed)
      3328 META-INF/MOCANADE.RSA (OK - compressed)
      4531 res/layout/main.xml (OK - compressed)
      5149 res/layout/tada.xml (OK - compressed)
      5518 AndroidManifest.xml (OK - compressed)
      7260 resources.arsc (OK)
      8716 res/drawable-hdpi/appicon.png (OK)
      67424 res/drawable-ldpi/appicon.png (OK)
      126132 res/drawable-mdpi/appicon.png (OK)
      184822 classes.dex (OK - compressed)
      327957 lib/armeabi/ (OK - compressed)
      605239 lib/armeabi/ (OK - compressed)
      781482 lib/x86/ (OK - compressed)
      1127671 lib/x86/ (OK - compressed)
      1344663 assets/mocana-map/lockout-email-body.txt (OK - compressed)
      1344788 assets/mocana-map/lockout-message.txt (OK - compressed)
      1344934 assets/mocana-map/keystore_recovery.pem (OK - compressed)

    Verification successful

  6. Upload the newly signed app to App Management. For instructions, see Edit or Update an Application.
  7. Enable the app if you are ready to make it available to your users. For instructions, see Disable or Enable an Application.

Back to Top