Android Application Signing

You must sign the release version of your app with an Android certificate before you submit it for review.

Signing Requirements

Android uses a digital certificate (also called a keystore) to cryptographically validate the identity of application authors. All Android applications must be digitally signed with such a certificate in order to be installed and run on an Android device.

All developers must create their own unique digital signature and sign their applications before submitting them to Oculus for approval. For more information, see Sign Your App and apksigner in the Android documentation.

Make sure to save the certificate file you use to sign your application. All subsequent updates to your application must be signed with the same certificate file.

Oculus currently requires either v1 and/or v2 of 3 APK signing schemes. Oculus allows apps that are additionally signed with v3, although v3 signing is currently not required. The version you should use is based on your app’s target device(s):

Target Device(s)Signing Scheme VersionMore Details
Quest/Quest 2v2 and v1You must add headtracking feature to the manifest to sign as v2. For more information, see Android Application Signing.
Gov1The v1 scheme is based on JAR signing. See Application Signing (Android Docs).
Go and QuestSign as v1, but if app uses headtracking, mark the manifest with android:required="false")For more information, see Android Application Signing and Application Signing (Android Docs).

Verify the Signing

You can use the apksigner tool to verify your APKs signature. To do so, use the following command:

$ apksigner verify --verbose ~/path-to-apk/app-name.apk

You should see output similar to the following:

Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Number of signers: 1

Unity Settings for Android Application Signing

Unity automatically signs Android applications with a temporary debug certificate by default. Before building your final release build, create a new Android keystore and assign it with the Use Existing Keystore option, found in Edit > Project Settings > Player > Publishing Settings. For more information, see Android Player Settings: Publishing Settings in the Unity documentation.

Unreal Signing

The latest version of Unreal Engine in Github supports v2 signing. If you are using an older version of Unreal and publishing a Quest app, you will need to edit the manifest to use the correct signing schema or manually patch the version of Unreal you are using to sign an app correctly. For more information, see Signing Projects for Release in the Unreal docs.