Signing Android apps on Windows

Blue Cedar does not fully support Android signing on Windows as part of the policy console. This page describes the process to sign on Windows and provides a script. Contact Blue Cedar Support if you need help.


When an Android app (.apk file) is secured with Blue Cedar policies, it needs to be re-signed in order to be installed on an Android device. Blue Cedar supports Android app signing on macOS and Linux. Signing apps externally on MacOS describes the process for Mac and Linux using a shell script provided by the Blue Cedar policy console. This page describes how to sign Android apps on computers running Windows and provides the signing script for these users:

  • Blue Cedar Enterprise (on-premises) users who choose to Export for external code signing
  • Blue Cedar Enforce users and Enterprise (hosted) users: external code signing is the only option

Step-by-step guide

Before you export a secured app for signing, see the policy console documentation to secure an app with an appropriate signing profile. Once you have secured the app and included a signing profile, you can Export a zip file from the policy console and sign outside the console. This zip file includes:

  • A copy of the secured app
  • All information required to sign the app
  • A simple shell script (sign.sh) to run on a Mac or Linux signing server. 
    Windows requires a batch (.bat) script which is currently not provided by the console, but is attached here. sign.bat

Applying the signing profile in the console validates the signing parameters for use with your app, even though it does not sign the app. Click Export for Signing to download the app with its signing information.

Requirements for signing on Windows

  • Download this script file for signing on Windows to replace the script in the exported zip file: sign.bat
    • Edit the sign.bat file to replace "mykey" with your keystore alias and "cloudfaux" with your keystore password. These credentials must match the keystore credentials in your signing profile.
  • Software: 
    • Download and install the latest Android SDK (newer than version 26.0.0).
    • Download and install the latest JDK (oracle.com) (version 1.8+)
  • Path: Edit these environment variables and path: 
  • Open "advanced system settings" from the Windows search box. On the Advanced tab, select Environment Variables and add or edit these variables.
Add or edit environment variableSet toExample
JAVA_HOMEThe location of the JDK installationC:\Program Files\Java\jdk1.8.0_162
ANDROID_HOMEThe location of the Android SDK installationC:\Users\jlennon\AppData\Local\Android\Sdk
build_toolsThe build_tools location in the Android SDK path%ANDROID_HOME%\build-tools\27.0.3\
PATHAdd the other tools in the Android SDK path

%PATH%;%ANDROID_HOME%\tools;%ANDROID_HOME%\platform-tools

Signing the app

To sign the app using the contents of the zip file:

On your Windows signing server, extract the contents of the zip file. 

Copy the Windows signing script to the directory with the extracted files. (sign.bat)

Open the Command window and navigate to your extracted .apk directory.

$ cd Downloads/<exported-app-folder>

Run the script:

$ sign <input app name>


For example:

$ sign compass-secured.apk


The default output filename adds "-signed" to the original filename, for example, compass-secured-signed.apk. Optionally, you can specify the output filename:

$ sign compass-secured.apk compass-signed.apk

The secured and signed app is now ready to deploy and test.