Menu
I have created a signed APK from Eclipse for Android. I want to know that which RSA certificate type is used in that signed APK like RSA-1024 or RSA 2048.
How would i know that from APK file?
EDIT Title changed from "Which RSA certificate is used in signed APK in Eclipse? How to know RSA key size (1024/2048)?"
312
Drag an APK or app bundle into the Editor window of Android Studio. Switch to the Project perspective in the Project window and then double-click the APK in the default build/output/apks/ directory. Select Build > Analyze APK in the menu bar and then select your APK or app bundle.
Android requires that all APKs be digitally signed with a certificate before they are installed on a device or updated. When releasing using Android App Bundles, you need to sign your app bundle with an upload key before uploading it to the Play Console, and Play App Signing takes care of the rest.
For debug builds the apk will be signed with the default debug signing keys with debug flag enabled. For release apk you will have to explicitly specify the apk to sign with and the debug flag will be turned off so that it cannot be debugged.
The certificate information is located in the debug. keystore file. You can find the keystore file with the other Android environment configuration files for your application. By default, configuration files live in the ~/.
Which RSA certificate is used in signed APK in Eclipse?
Under Eclipse during debugging (and in the absence of another key), you will sign with the default Android debug key.
Eclipse creates it if its not present. The key is added to debug.keystore, with a store and key password of android. See Signing in Debug Mode at Android's Signing Your Application.
You can sign with a few tools, including keytool or jarsigner. But I believe you need to use another tool to examine the certificate in the APK.
You can use OpenSSL to dump the relevant bits since its PKCS #7, but you need manually extract the relevant files from the APK.
For signing, I use jarsigner when working from the command line. For example, on Windows with the Debug key:
jarsigner -verbose -keystore C:\Users\<user>\.android\debug.keystore \
-storepass android -keypass android -digestalg SHA1 \
-sigalg SHA1withRSA <package name>.apk androiddebugkey
Eclipse performs similar for you under the IDE.
You can't use jarsigner to dump the information. For example, the following will print the distinguished name, but it will not print the subjectPublicKeyInfo block:
$ jarsigner -verbose -certs -verify Test.apk
Similarly, you can't use keytool because it does not print the subjectPublicKeyInfo block either:
$ keytool -printcert -file META-INF/CERT.RSA
To determine the certificate in the APK, you need to look at a couple of files. The files of interest are in the META_INF directory of the APK. The signatures are in an .SF file along with a .RSA file (or .DSA file) for each signer. The signer's .RSA file (or .DSA file) are just PKCS #7 format.
I say "the signatures are in..." because individual elements of the APK are signed, and not the entire APK. So classes.dex gets signed, AndroidManifest.xml gets signed, each icon in res/ gets signed, etc.
Note: while jarsigner supports multiple signatures, Android only supports one signer (if I recall correctly).
Here's an example with an APK called CrackMe.apk using OpenSSL.
$ mkdir APK-test
$ mv CrackMe.apk APK-test
$ cd APK-test
Next unpack the APK. Its just a ZIP file with additional metadata in META-INF/.
$ unzip -a CrackMe.apk
$ ls
AndroidManifest.xml META-INF res
CrackMe.apk classes.dex resources.arsc
Next, take a look in the META-INF directory.
$ cd META-INF/
$ ls
CERT.RSA CERT.SF MANIFEST.MF
The signatures are in CERT.SF, and the signer is in CERT.RSA.
Finally, use OpenSSL to parse CERT.RSA.
$ openssl pkcs7 -in CERT.RSA -inform DER -print_certs | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1346030704 (0x503acc70)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=NY, L=New York, O=Unknown, OU=Unknown, CN=Example, LLC
Validity
Not Before: Aug 27 01:25:04 2012 GMT
Not After : Dec 5 01:25:04 2035 GMT
Subject: C=US, ST=NY, L=New York, O=Unknown, OU=Unknown, CN=Example, LLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:8d:a8:9a:34:84:d5:72:4f:e8:e7:69:78:e4:17:
13:93:e8:c5:23:a0:93:a7:f8:6c:58:3d:f0:ed:30:
...
c1:2d:5e:9f:a4:79:56:19:7d:26:4d:27:6a:3e:26:
c0:fd:6a:ed:24:e9:62:80:73:8d
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
80:c0:ac:a5:65:13:f3:2d:dd:d5:71:82:7c:2e:72:63:72:cf:
76:49:4b:09:3c:12:e7:d6:9b:3d:53:8b:d4:e0:9c:ff:f2:d6:
...
80:4d:9b:15:3f:82:1a:72:b2:4b:fd:05:2b:e7:36:f0:43:98:
80:b7:8f:6c:fd:64
You can also use -pubkey when utilizing x509 to extract the public key PEM format:
$ openssl pkcs7 -in CERT.RSA -inform DER -print_certs | openssl x509 -noout -pubkey
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAjaiaNITVck/o52l45BcT
k+jFI6CTp/hsWD3w7TAoGMA4RyH1pNcLD3ZZLXqdCPGKzKf107YhmiSp9K3DALG+
AHorHroKsnmGJFXglIEOLAq7gBVrfxOiBAxr0HW4MLXXGMvr2Asq4AkJAbFFmApU
5I3bGv3DCApHBbH6B10V5gTT0VzbkxHAejqNJVIHBmi6ueKLKh5ytJeRZufgD3ZX
+uEszGfJrD48woXkqSlCOyxHSi4PWyHLm95OXYkvlBSudNt5q9yDuy+KkJgrSHLC
jwxISkM2JzEoWYhqNqRgosBv6pg16+97YPeE6tHoG6dHazjCClhr5oZxw/7t6969
8rZ8m/fcLf3cOtcApqOFhCViq0ddADrOxMD2Qsp/xHx1kUg7eprE6dOEvQKr4oT5
oBiJkOStnAQFWRw/GDFTqpvDsYSOKn64/1cJ/+NEeLw4y+HCTMcNAsPknBQlXxNc
hzX0zSqrJ+vBLV6fpHlWGX0mTSdqPibA/WrtJOligHONAgMBAAE=
-----END PUBLIC KEY-----
If interested in the Android APK validation code, see collectCertificates from PackageParser.java.
181
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
