Google Play

    App Signing Failed Google Play Console (Fixes)

    A Google Play Console signing failure caused by running zipalign after apksigner, alongside the correct zipalign-then-apksigner order.

    When Google Play Console reports that app signing failed, it usually means the artifact you uploaded is not validly signed for Play, and the most common reason is a signing toolchain that ran in the wrong order or used the wrong tool. For an APK, you must run zipalign before apksigner, because any change to the APK after signing, including aligning it, invalidates the signature. Sign with apksigner rather than jarsigner so a modern v2 or v3 signature scheme is applied, since a v1-only signature is not enough for current apps. For an app bundle, you do not zipalign or apksigner the final file at all; you sign the bundle and let Play App Signing produce the delivered APKs. If the error is instead an upload key mismatch, that is an identity problem, not a toolchain one.

    Short answer

    A signing failure on upload is almost always about how the file was signed, not about your key being wrong. Per Android's apksigner docs, if you sign an APK and then change it, the signature is invalidated, and if you use zipalign you must run it before signing, so the correct order is zipalign, then apksigner. apksigner also applies the v2, v3, and v4 schemes that Play expects, which jarsigner cannot, so use apksigner. For an app bundle, per Android's app signing docs, Play App Signing generates and signs the delivered APKs, so you sign the bundle and skip the APK alignment and signing steps entirely.

    What app signing failed means in Play Console

    When Play Console says signing failed, it is telling you that the uploaded artifact did not pass its signature validation, which is a gate every upload goes through. Play checks that the file is signed with a valid scheme, that the signature actually verifies against the contents, and that it matches the key Play expects for your app. A failure means one of those checks did not pass, and the message is your prompt to work out which.

    There are two broad families behind the same wording. One is a toolchain problem, where the artifact is not correctly signed, because it was aligned after signing, signed with the wrong tool, signed only with the old scheme, or built with a debug key. The other is an identity problem, where the file is validly signed but with a key that does not match your app's expected upload key. The focus here is the toolchain family, since that is what most build-side signing failures are; the key-mismatch case is a separate fix about which key you used.

    ZipAlign or apksigner: which, and in what order

    These are two different tools that both touch the APK, and confusing their order is a leading cause of signing failure. zipalign aligns the APK's data for efficient loading, and apksigner signs it. The order is not interchangeable: per Android's documentation, if you use zipalign you must use it before signing the APK, because signing with apksigner and then making any further change, alignment included, invalidates the signature. So the pipeline is build, then zipalign, then apksigner, and nothing that alters the file after that.

    The classic failure is running zipalign after apksigner, which produces an APK whose v2 or v3 signature no longer matches the now-modified file, so Play rejects it as improperly signed. If your build script or CI does its own alignment step at the end, that is very likely the cause. The fix is to reorder so alignment happens before signing, or, more simply, to let the Gradle signing config handle both, since Gradle aligns and signs in the correct sequence for you.

    Use apksigner, not jarsigner: V1 versus V2

    The other toolchain cause is the signing tool itself, which is where the V1 versus V2 question comes in. jarsigner is the old JAR signing tool and it can only produce a v1 signature, the original scheme that signs individual files inside the archive. apksigner, from the Android build tools, produces the v2, v3, and v4 schemes, which sign the whole APK and are what modern Android and Google Play rely on. A v1-only artifact, or one signed with jarsigner, is a common reason a build is treated as not properly signed.

    So the tool you sign with determines which schemes are present, and you want apksigner. By default apksigner uses your minSdkVersion and maxSdkVersion to decide which schemes to apply, so it adds the right ones automatically for your app's range. If you sign manually, replace any jarsigner step with apksigner; if you build with Gradle, the release signing config already uses the correct signing internally. Either way, ensuring a v2 or higher signature is present is what clears this class of failure.

    App bundles are signed differently

    If you upload an Android App Bundle rather than an APK, applying APK signing steps to it is itself a mistake, because the bundle is not the file users install. With Play App Signing, you sign the bundle with your upload key, and Google generates and signs the actual delivered APKs with the app signing key it holds. So there is no zipalign step and no apksigner step on a final APK in this flow; those tools operate on APKs, not on the AAB.

    This trips people who move from building APKs to building bundles and carry their old signing commands along. The result is either a signing error or wasted effort aligning and signing something Play is going to re-sign anyway. For a bundle, let Gradle sign it with your upload key and let Play App Signing take it from there, and reserve zipalign and apksigner for the case where you are genuinely producing a standalone APK.

    Common causes and fixes at a glance

    Matching the failure to its cause points you at the fix. The table below maps the common ones.

    CauseWhy signing failsFix
    Aligned after signingChange after apksigner invalidates the signaturezipalign before apksigner
    Signed with jarsignerOnly a v1 signature is producedSign with apksigner for v2 or higher
    v1-only signatureMissing the whole-file scheme Play expectsEnable v2 and v3 signing
    Built with a debug keyDebug-signed artifacts are rejectedSign with your release or upload key
    Modified the AAB with APK toolsBundle is not an installable APKSign the bundle; let Play App Signing sign APKs

    Read the first two rows first, since aligning after signing and using jarsigner are the two most common build-side signing failures.

    Verify your signature before uploading

    You can catch a signing failure on your own machine before Play does by verifying the artifact after your build. For an APK, run apksigner verify with the print-certificates option, which confirms the signature verifies and shows which schemes are present and which certificate signed it, so you can see at a glance whether v2 is there and whether the key is your release key rather than a debug key. A file that fails apksigner verify will also fail in Play.

    Confirm the identity as well as the validity. Check that the certificate fingerprint matches the upload key Play expects for your app, so you catch a wrong-key situation locally instead of after a rejected upload. For an app bundle, verify through your Gradle build output and the Play Console upload feedback rather than APK tools. Verifying before uploading turns a slow round trip through Play into a fast local check.

    Fix checklist

    Working through these steps clears most signing failures. The checklist below covers them.

    StepActionDone?
    Fix the orderRun zipalign before apksigner, never after[ ]
    Use the right toolSign with apksigner, not jarsigner[ ]
    Enable modern schemesEnsure v2 and v3 signatures are applied[ ]
    Use the release keyConfirm the build is not debug-signed[ ]
    Handle bundles correctlySign the AAB and let Play App Signing sign APKs[ ]
    Verify locallyRun apksigner verify before uploading[ ]

    The step teams skip most is verifying locally, because a quick apksigner verify catches every one of these before the upload does.

    When it is really an upload key mismatch

    One honest caveat: not every signing failure is a toolchain problem. If your artifact is correctly signed but with a key that does not match the upload key Play has on record, the fix is not reordering tools but using the right key, or requesting an upload key reset if the key is lost. That case shows up as a key or certificate mismatch rather than an invalid-signature error, and it is resolved separately from the alignment and scheme issues covered here.

    So read the exact message. If Play complains that the signature is invalid or the APK is not signed with a required scheme, you are in the toolchain family addressed here. If it says the certificate does not match the expected upload certificate, you are in the identity family, and the fix lives with your keys and Play App Signing rather than with zipalign and apksigner.

    Where a scan fits

    A signing failure is a build problem, so a scanner does not fix it, but once your artifact signs cleanly it is worth checking that your signing setup is not leaking secrets.

    A scanner like PTKD.com analyzes your build and flags issues such as keystores or signing passwords committed into the repo, hardcoded secrets, and over-broad permissions by severity, mapped to OWASP MASVS. To be clear about the boundary: PTKD does not sign your app or reorder your build steps. It helps confirm that the signing credentials you just got working are stored safely rather than sitting in the project where they can leak.

    What to take away

    • App signing failed in Play Console usually means the artifact is not validly signed, most often from a toolchain order or tool mistake rather than a bad key.
    • Run zipalign before apksigner, because any change after signing, including alignment, invalidates the signature.
    • Sign with apksigner, not jarsigner, so a v2 or higher scheme is applied, since a v1-only signature is a common cause of failure.
    • For an app bundle, sign the AAB and let Play App Signing produce and sign the delivered APKs, without zipalign or apksigner steps.
    • Verify with apksigner verify before uploading, and if the message is a certificate mismatch it is a key problem, not a toolchain one; a tool like PTKD.com helps keep signing secrets out of the repo.
    • #google play
    • #app signing
    • #apksigner
    • #zipalign
    • #signature scheme

    Frequently asked questions

    Why does Google Play say my app signing failed?
    Because the uploaded artifact did not pass Play's signature validation, which checks that the file is signed with a valid scheme, that the signature verifies against the contents, and that it matches the expected key. Most build-side failures are toolchain problems: the APK was aligned after signing, signed with jarsigner instead of apksigner, signed only with the old v1 scheme, or built with a debug key. Read the exact message to tell whether it is a toolchain problem or an upload key mismatch, which is a separate fix.
    Should I run zipalign before or after apksigner?
    Before. zipalign aligns the APK and apksigner signs it, and per Android's documentation, if you sign with apksigner and then make any further change to the APK, including alignment, the signature is invalidated. So the correct order is build, then zipalign, then apksigner, with nothing altering the file afterward. Running zipalign after apksigner is a leading cause of signing failure because it breaks the v2 or v3 signature. The simplest fix is to let the Gradle signing config align and sign in the right order for you.
    What is the difference between V1 and V2 signatures for Google Play?
    V1 is the original JAR signing scheme that signs individual files inside the archive and is all that jarsigner can produce. V2, and the later v3 and v4, are APK Signature Schemes that sign the whole APK and are what modern Android and Google Play rely on. apksigner, from the Android build tools, applies v2 and higher and by default uses your minSdkVersion and maxSdkVersion to decide which schemes to add. A v1-only artifact, often from signing with jarsigner, is a common reason Play treats a build as not properly signed.
    How do I sign an Android App Bundle for Play?
    You do not zipalign or apksigner the final file. With Play App Signing you sign the bundle with your upload key, typically through the Gradle release signing config, and Google generates and signs the delivered APKs with the app signing key it holds. So the APK-specific tools zipalign and apksigner do not apply to the AAB. A frequent mistake when moving from APKs to bundles is carrying the old APK signing commands along, which causes a signing error or wasted effort signing something Play re-signs anyway.
    How do I verify my APK is signed correctly before uploading?
    Run apksigner verify with the print-certificates option on the signed APK. It confirms the signature verifies and shows which signature schemes are present and which certificate signed it, so you can see whether v2 is applied and whether the key is your release key rather than a debug key. A file that fails apksigner verify will also fail in Play. Also check that the certificate fingerprint matches the upload key Play expects, so a wrong-key situation is caught locally instead of after a rejected upload.
    What if the error is a certificate or key mismatch instead?
    Then it is an identity problem, not a toolchain one, and reordering tools will not help. If your artifact is correctly signed but with a key that does not match the upload key Play has on record, the fix is to sign with the right key, or to request an upload key reset if the key is lost, which is possible under Play App Signing because Google holds the app signing key. That case shows up as a certificate mismatch rather than an invalid-signature error and is resolved with your keys, separately from zipalign and apksigner.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free