Skip to content

feat: android aab signing #593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 24 commits into from
Oct 20, 2025
Merged

feat: android aab signing #593

merged 24 commits into from
Oct 20, 2025

Conversation

@mlisikbf
Copy link
Contributor

@mlisikbf mlisikbf commented Sep 30, 2025
edited by cursor bot
Loading

Summary

Introduces aab signing using the existing yarn sign:android command, with the same list of arguments, just provide a path to an .aab file. signAndroid will check file extension to decide on:

  • the assets path for jsbundle placement
  • what signer to use
  • when to perform zipalign (before signing for app bundles vs after signing for apks)

Includes naming changes, updates to messages and docs where appropriate.

An alternative would be for end-users to invoke jarsigner themselves, extract and modify the bundle as needed.

Test plan

  • on this branch, create a symlink for the platform package: (cd packages/platform-android && npm link)
  • create an empty rock project with npm rock create (select android, skip plugins)
  • link the package with npm link @rock-js/platform-android
  • create a release keystore with: npm rock create-keystore:android - use default values, for simplicity use fake-pass when prompted for password
  • create a release aab with: npx rock build:android --aab --local --variant release (note: using --local to opt out of cache as it does not seem to catch js changes for release variants)
  • make changes in App.tsx that will be easy to identify (eg replace <WelcomeScreen/> with custom jsx)
  • create a bundle with npx rock bundle --platform android --entry-file index.js --bundle-output output.bundle
  • re-sign aab with npx rock sign:android ./android/app/build/outputs/bundle/release/app-release.aab --keystore ./android/app/release.keystore --keystore-password fake-pass --key-password fake-pass --key-alias rock-alias --jsbundle ./output.bundle
  • to create an apk from a bundle file, use bundletool -- brew install bundletool then bundletool build-apks --bundle=./android/app/build/outputs/bundle/release/app-release.aab --output=output/apks.apks --mode=universal --local-testing --ks=./android/app/release.keystore --ks-key-alias=rock-alias --ks-pass=pass:fake-pass --key-pass=pass:fake-pass
  • extract apks: unzip output/apks.apks -d output and install on a connected device with adb install output/universal.apk
  • once ran, the app should show UI changes made after first bundle was created

revert changes and verify apk signing:

  • npx rock build:android --local --variant release
  • make UI changes to App.tsx
  • then:
npx rock bundle --platform android --entry-file index.js --bundle-output output.bundle
npx rock sign:android ./android/app/build/outputs/apk/release/app-release.apk --keystore ./android/app/release.keystore --keystore-password fake-pass --key-password fake-pass --key-alias rock-alias --jsbundle ./output.bundle
adb install ./android/app/build/outputs/apk/release/app-release.apk

closes #588

Note

Generalizes Android signing to handle both APK and AAB, updating args, signing/align flow, bundle replacement paths, and docs.

  • Platform Android (@rock-js/platform-android)
    • AAB Support in sign:android: Now signs both APK and AAB based on file extension.
      • Uses apksigner for APK and jarsigner for AAB; adjusts zipalign order accordingly.
      • Replaces JS bundle in assets (APK) or base/assets (AAB).
      • Introduces generic binaryPath throughout (apk -> binaryPath/path) and updates messages.
      • New helpers: alignArchiveFile, signAab, signApk, isAab, and password handling for jarsigner.
  • Docs
    • Updates website/src/docs/cli.md for sign:android to accept APK or AAB and reflect new binaryPath argument and output descriptions.
  • Release
    • Changeset: minor bump for @rock-js/platform-android.

Written by Cursor Bugbot for commit 321b308. This will update automatically on new commits. Configure here.

@changeset-bot
Copy link

changeset-bot bot commented Sep 30, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 321b308

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 14 packages
Name Type
@rock-js/platform-android Minor
@rock-js/plugin-brownfield-android Minor
@rock-js/config Minor
@rock-js/platform-apple-helpers Minor
@rock-js/platform-ios Minor
@rock-js/plugin-brownfield-ios Minor
@rock-js/plugin-metro Minor
@rock-js/plugin-repack Minor
@rock-js/provider-github Minor
@rock-js/provider-s3 Minor
@rock-js/test-helpers Minor
@rock-js/tools Minor
@rock-js/welcome-screen Minor
rock Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link

vercel bot commented Sep 30, 2025

@mlisikbf is attempting to deploy a commit to the Callstack Team on Vercel.

A member of the Team first needs to authorize it.

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

@mlisikbf mlisikbf mentioned this pull request Sep 30, 2025
Closed
cursor[bot]

This comment was marked as outdated.

Sign in to view

mlisikbf
mlisikbf commented Sep 30, 2025
View reviewed changes
packages/platform-android/src/lib/commands/signAndroid/signAndroid.ts Outdated
Comment on lines 339 to 341
function isAab(filePath: string): boolean {
return path.extname(filePath).toLowerCase() === '.aab';
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

opted to switch on path extension rather than adding a separate --aab flag, as that should be enough to distinguish and the flag seemed superfluous.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

makes sense 👍🏼

Copy link
Contributor

@thymikee thymikee Oct 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please run prettier here and there (this one is missing trailing newline)

cursor[bot]

This comment was marked as outdated.

Sign in to view

@mlisikbf mlisikbf requested a review from thymikee October 14, 2025 14:50
@thymikee
Copy link
Contributor

It's on my list, will come back to this shortly!

artus9033
artus9033 requested changes Oct 15, 2025
View reviewed changes
Copy link
Contributor

@artus9033 artus9033 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work, thanks for the contribution! Just the few comments to be resolved + I think we should decide to go with apksigner instead of jarsigner to make it more secure & follow Android docs' recommendations.

packages/platform-android/src/lib/commands/signAndroid/signAndroid.ts Outdated
// 6. Align archive after signing if aab
if (isAab(outputPath)) {
await alignArchive()
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The post-signing alignment for AABs also overwrites the signed outputPath with the unsigned tempArchivePath, losing the signature

This bot's comment is actually incorrect, we can ignore that (LLM trash as usual). The issue is exactly why apksigner is preferred over jarsigner, because jarsigner means Android v1 signature. apksigner uses v2,3 or 4 signing which is whole-file signing and therefore there is no way to tamper with the file after signing and therefore signing is needed after alignment. However, if we move to apksigner (as I suggested in a comment below), we would then have to keep in mind the (only) right way would be align-then-sign.

also, can you send me some materials on why AAB needs aligning after signing, while APK does it before?

It's not that they need it that way, it results from the tool choice. Jarsigner (legacy, which constitutes the old Android singing scheme v1) only signs parts of the ZIP (APK / AAB), and the signatures don't cover ZIP metadata. Zipalign stores the actual alignment information in the ZIP metdata (not covered by the signatures) and this is why the signing should occur after alignment.

Apksigner signs according to v2+ Android signing schemes which treat the whole file as a blob (including ZIP metadata). Therefore, realigning means invalidating the signature.

Some information on that can be found here: https://source.android.com/docs/security/features/apksigning#v1

thymikee
thymikee reviewed Oct 17, 2025
View reviewed changes
@thymikee
Copy link
Contributor

Minor tweaks and we're good to merge this today

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

@thymikee thymikee merged commit 775b305 into callstackincubator:main Oct 20, 2025
4 of 5 checks passed
thymikee added a commit that referenced this pull request Oct 20, 2025
@mlisikbf @thymikee
feat: android aab signing (#593)
0a593f4 
* feat: android aab signing

* feat: android aab signing - docs update

* feat: android aab signing - fixes assets path

* feat: android aab signing - changeset

* feat: android aab signing - missing semicolon

* feat: android aab signing - ensures non-empty alias

* feat: android aab signing - avoids shadowing node:path

* feat: android aab signing - strips jarsigner password input

* feat: android aab signing - corrects key-alias message

* feat: android aab signing - uses input path for isAab checks

* feat: android aab signing - updates changeset

* feat: android aab signing - adds note on sign/align sequence

* feat: android aab signing - removes aab-specific signing flow

* feat: android aab signing - minimizes changes

* feat: android aab signing - adds --min-sdk-version arg

* feat: android aab signing - adds --min-sdk-version note in the docs

* Update packages/platform-android/src/lib/commands/signAndroid/signAndroid.ts

Co-authored-by: Michał Pierzchała <[email protected]>

* feat: android aab signing - adds applies prettier

* feat: android aab signing - moves doc comment

* feat: android aab signing - removes reduntant brace

* feat: android aab signing - adds comment on default --min-sdk-version

* feat: android aab signing - removes --new-sdk-version from sign command

---------

Co-authored-by: Michał Pierzchała <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thymikee thymikee thymikee left review comments

@artus9033 artus9033 artus9033 requested changes

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

sign:android command for android app bundles

3 participants

@mlisikbf @thymikee @artus9033