android 11 – APK signature scheme v4 can’t be verified with apksigner

I am trying out the APK signature scheme v4 introduced in Android 11. I use the apksigner from the Android Sdk and it seems to work fine: it signs the .apk and generates the .idsig file as expected:


$/Android/Sdk/build-tools/30.0.3/apksigner sign -v --ks ~/keystore.jks --ks-key-alias testkey app.apk
Keystore password for signer #1:

app.apk  app.apk.idsig

However, when I use the same apksigner tool to verify the signature, it outputs the following:

$/Android/Sdk/build-tools/30.0.3/apksigner verify -v ./app.apk
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
WARNING: META-INF/com/android/build/gradle/ not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
... # and a bunch of other v1-related warnings

$ echo $?

So it successfully verifies based on APK Signature Scheme v3 and doesn’t take into account the .idsig at all (modifying the .idsig file does not affect the verification result).
I expect Verified using v4 scheme (APK Signature Scheme v4): to also be true. Am I missing something?

Ubuntu 21.04, Android Sdk 30.0.3.