I am trying out the APK signature scheme v4 introduced in Android 11. I use the apksigner from the Android Sdk and it seems to work fine: it signs the .apk and generates the .idsig file as expected:
$ apksigner sign -v --ks ~/keystore.jks --ks-key-alias testkey app.apk
Keystore password for signer #1:
Signed
$ ls
app.apk app.apk.idsig
However, when I use the same apksigner tool to verify the signature, it outputs the following:
$ apksigner verify -v ./app.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
... # and a bunch of other v1-related warnings
So it successfully verifies based on APK Signature Scheme v3 and doesn't take into account the .idsig at all (modifying the .idsig file does not affect the verification result).
I expect Verified using v4 scheme (APK Signature Scheme v4): to also be true.
Am I missing something?