I have one of my Android projects producing unsigned APKs. I'm using below provided configuration and then verifying produced APKs. I'm sure Gradle is using my provided keystore file because I tried changing the path and password and the build was failing.

APKs are not signed after all

jarsigner -verify -verbose -certs /Users/viliuskraujutis/.../path-to-newly-created.apk

The output is this:

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

no manifest.

jar is unsigned.

Signing from build.gradle

For the context I'm signing like this:

android {
...
    signingConfigs {
        release {
            storeFile file("my-key-used-in-other-successful-project.keystore")
            storePassword "my-password-used-in-other-successful-project"
            keyAlias "my-alias-used-in-other-successful-project"
            keyPassword "my-password-used-in-other-successful-project"
        }
    }

You likely have a minSdkVersion of 24 or higher. If that's the case then AGP uses a more efficient signing scheme called "V2 signing" and because all Android devices on 24+ support this scheme, it is no longer needed to sign with "v1 scheme" (i.e.jar signing). V2 scheme is completely independent of jar signing, that's why jarsigner thinks the APK is unsigned. If you use apksigner (provided in Android tools), then you can check that your APK is in fact correctly signed.