diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index 4584a433..b8f4fd38 100644
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -2527,6 +2527,18 @@ def apk_strip_signatures(signed_apk, strip_manifest=False):
                             out_apk.writestr(info, buf)
 
 
+def _zipalign(unsigned_apk, aligned_apk):
+    """run 'zipalign' using standard flags used by Gradle Android Plugin
+
+    -p was added in build-tools-23.0.0
+
+    https://developer.android.com/studio/publish/app-signing#sign-manually
+    """
+    p = SdkToolsPopen(['zipalign', '-v', '-p', '4', unsigned_apk, aligned_apk])
+    if p.returncode != 0:
+        raise BuildException("Failed to align application")
+
+
 def apk_implant_signatures(apkpath, signaturefile, signedfile, manifest):
     """Implats a signature from metadata into an APK.
 
@@ -2553,9 +2565,7 @@ def apk_implant_signatures(apkpath, signaturefile, signedfile, manifest):
                             buf = in_apk.read(info.filename)
                             out_apk.writestr(info, buf)
         os.remove(apkpath)
-        p = SdkToolsPopen(['zipalign', '-v', '4', apkwithnewsig, apkpath])
-        if p.returncode != 0:
-            raise BuildException("Failed to align application")
+        _zipalign(apkwithnewsig, apkpath)
 
 
 def apk_extract_signatures(apkpath, outdir, manifest=True):
@@ -2602,9 +2612,7 @@ def sign_apk(unsigned_path, signed_path, keyalias):
     if p.returncode != 0:
         raise BuildException(_("Failed to sign application"), p.output)
 
-    p = SdkToolsPopen(['zipalign', '-v', '4', unsigned_path, signed_path])
-    if p.returncode != 0:
-        raise BuildException(_("Failed to zipalign application"))
+    _zipalign(unsigned_path, signed_path)
     os.remove(unsigned_path)
 
 
diff --git a/fdroidserver/nightly.py b/fdroidserver/nightly.py
index 1e150c80..c31571ff 100644
--- a/fdroidserver/nightly.py
+++ b/fdroidserver/nightly.py
@@ -91,6 +91,10 @@ def main():
                         help=_("Specify which debug keystore file to use."))
     parser.add_argument("--show-secret-var", action="store_true", default=False,
                         help=_("Print the secret variable to the terminal for easy copy/paste"))
+    parser.add_argument("--keep-private-keys", action="store_true", default=False,
+                        help=_("Do not remove the private keys generated from the keystore"))
+    parser.add_argument("--no-deploy", action="store_true", default=False,
+                        help=_("Do not deploy the new files to the repo"))
     parser.add_argument("--file", default='app/build/outputs/apk/*.apk',
                         help=_('The the file to be included in the repo (path or glob)'))
     parser.add_argument("--no-checksum", action="store_true", default=False,
@@ -283,14 +287,19 @@ Last updated: {date}'''.format(repo_git_base=repo_git_base,
         common.local_rsync(options, repo_basedir + '/metadata/', git_mirror_metadatadir + '/')
         mirror_git_repo.git.add(all=True)
         mirror_git_repo.index.commit("update app metadata")
-        try:
-            subprocess.check_call(['fdroid', 'server', 'update', '--verbose'], cwd=repo_basedir)
-        except subprocess.CalledProcessError:
-            logging.error(_('cannot publish update, did you set the deploy key?')
-                          + '\n' + deploy_key_url)
-            sys.exit(1)
-        if shutil.rmtree.avoids_symlink_attacks:
-            shutil.rmtree(os.path.dirname(ssh_private_key_file))
+
+        if not options.no_deploy:
+            try:
+                subprocess.check_call(['fdroid', 'server', 'update', '--verbose'], cwd=repo_basedir)
+            except subprocess.CalledProcessError:
+                logging.error(_('cannot publish update, did you set the deploy key?')
+                              + '\n' + deploy_key_url)
+                sys.exit(1)
+
+        if not options.keep_private_keys:
+            os.remove(KEYSTORE_FILE)
+            if shutil.rmtree.avoids_symlink_attacks:
+                shutil.rmtree(os.path.dirname(ssh_private_key_file))
 
     else:
         if not os.path.isfile(options.keystore):
diff --git a/fdroidserver/publish.py b/fdroidserver/publish.py
index fad7d00f..b80f9ea5 100644
--- a/fdroidserver/publish.py
+++ b/fdroidserver/publish.py
@@ -33,7 +33,7 @@ import zipfile
 from . import _
 from . import common
 from . import metadata
-from .common import FDroidPopen, SdkToolsPopen
+from .common import FDroidPopen
 from .exception import BuildException, FDroidException
 
 config = None
@@ -350,10 +350,7 @@ def main():
                     raise BuildException(_("Failed to sign application"), p.output)
 
                 # Zipalign it...
-                p = SdkToolsPopen(['zipalign', '-v', '4', apkfile,
-                                   os.path.join(output_dir, apkfilename)])
-                if p.returncode != 0:
-                    raise BuildException(_("Failed to align application"))
+                common._zipalign(apkfile, os.path.join(output_dir, apkfilename))
                 os.remove(apkfile)
 
                 publish_source_tarball(apkfilename, unsigned_dir, output_dir)
diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index 296111de..58aab01c 100644
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -1875,7 +1875,8 @@ def main():
 
     config = common.read_config(options)
 
-    if not ('jarsigner' in config and 'keytool' in config):
+    if not (('jarsigner' in config or 'apksigner' in config)
+            and 'keytool' in config):
         raise FDroidException(_('Java JDK not found! Install in standard location or set java_paths!'))
 
     repodirs = ['repo']