Is apksigner tool that comes along with Android SDK Build Tools compliant with JCE (Java Cryptography Extension) specification?
The current (as of July 25 2017) apksigner
version 0.7
released in Andriod SDK Build Tools 26.0.1
supports signing using HSM keys via Sun/Oracle's PKCS #11 Provider and its extensions. For example:
apksigner sign --provider-class sun.security.pkcs11.SunPKCS11 \
--provider-arg token.cfg --ks NONE --ks-type PKCS11 app.apk
Also see https://geoffreymetais.github.io/code/key-signing/.