Azure-pipelines-tasks: AndroidSigning@3 fails to sign - java.io.IOException: Keystore was tampered with, or password was incorrect

Also facing this problem

Me too, and I've double checked that the passwords and key alias are correct. They work if a build in the same code in App Center.

@eduardomhg Yeah, it's a DevOps bug that I wish as getting more attentions. In DevOps, I created a 2nd pipeline using the classic editor, I can't get the align and sign task to work on version 2 or version 3.

@MouthOfMadness , thank you for reporting this! Version 2 of the AndroidSigning task uses the jarsigner tool for signing the APK, while version 3 of the task uses the currently recommended APK signer tool.

Which Java version are you using in the task? On Java 9, the apksigner cannot detect the charset used and may need to be provided with the option --pass-encoding when a password containing non-ASCII characters is used. You may also need to include the --pass-encoding option for a KeyStore created by a keytool on a different OS or in a different locale. You should be able to include the --pass-encoding option in the apksigner arguments field of the task.

Please let us know if adding the --pass-encoding option remedies the issue.

Just to be clear, there are 2 bugs here.

1) When adding a task through the classic version of the pipeline, both version 2 and 3 fail.
2) On the YAML version, just the version 3 fails

Testing the -pass-encoding parameter, I tried 2 ways (blank, utf-8), but in both instances it tells me it's an unsupported option.

C:\windows\system32\cmd.exe /D /S /C ""C:\Program Files (x86)\Android\android-sdk\build-tools\24.0.3\apksigner.bat" sign --ks d:\a_temp\myapp-keystore.keystore --ks-pass "pass:" --ks-key-alias myapp-keystore --key-pass "pass:" --verbose --pass-encoding d:\a\1\b\Release\myapp.apk"
Unsupported option: --pass-encoding. See --help for supported option

I then tried specifying --pass-encoding utf-8, and I get the following error:

C:\windows\system32\cmd.exe /D /S /C ""C:\Program Files (x86)\Android\android-sdk\build-tools\24.0.3\apksigner.bat" sign --ks D:\a_temp\myapp-keystore.keystore --ks-pass "pass:" --ks-key-alias myapp-keystore --key-pass "pass:" --verbose --pass-encoding utf-8 D:\a\1\b\Release\myapp.apk"

Unsupported option: --pass-encoding. See --help for supported options.

So I don't think it's this error.

Let me add the task, just in case I did it wrong.

• task: AndroidSigning@3
  displayName: 'align and sign'
  inputs:
  apkFiles: '$(build.binariesdirectory)/$(BuildConfiguration)/*.apk'
  apksignerKeystoreFile: 'myapp-keystore.keystore'
  apksignerKeystorePassword: '$(keystorePassword)'
  apksignerKeystoreAlias: 'myapp-keystore'
  apksignerKeyPassword: '$(keystorePassword)'
  apksignerArguments: '--verbose --pass-encoding utf-8'

Thank you for the additional information and trying to use the --pass-encoding parameter. The correct usage is --pass-encoding utf-8, or replacing utf-8 with any other encoding that is appropriate. We'll continue to look into the matter.

@keljos
Some new clues for you.

If I use a java based keystore extension .jks generated by Android Studio, it works with the AndroidSigning@3 task.

If I use the keystore extension .keystore generated by VS2019, it fails.

Hitting the same issue. Interestingly only 1 out of my 4 projects fail though. Can't remember when or how I created the keystore files. Signing locally through Visual Studio works without issues.
Any updates on when this is being resolved?

@MouthOfMadness thanks for your patience!

About the --pass encoding option for apksigner tool error - currently Android SDK v24.0.3 is used in Azure Pipelines, which doesn't have support for apksigner --pass encoding option.

About exception java.io.IOException: Keystore was tampered with, or password was incorrect - this exception seems to be triggered by apksigner itself. This usually happens when there are special characters (especially a backslash) in keystore password (checked it by myself). Could you please change keystore password or create keystore using the new password without special characters and run the pipeline again?

@alexander-smolyakov I was able to get this running, at that time a keystore type could only be processed by the task AndroidSigning@2, I was using AndroidSigning@3. However, if I created a java keystore (jks), it would fail AndroidSigning@2 and only work on AndroidSigning@3 (as I had mentioned above). Months later, my pipeline started failing on the AndroidSigning@2 task so I updated to AndroidSigning@3 and it started working.

@alexander-smolyakov Thanks for the workaround! I changed my keystore password (removed non-alphanumeric characters) and signing went through! That was AndroidSigning@3

It is weird that this problem is still not fixed.