How can I dump the signature of an Android App Bundle?

Question

I'm switching my CI process from producing APK files to App Bundles. One stage in my pipeline will, after producing the signed binary, dump the signature and validate the signature on the APK to make sure it's signed properly before continuing.

> apksigner verify --print-certs my-signed-binary.apk

Signer #1 certificate DN: CN=<NAME>, OU=<GROUP>, O=<COMPANY>, L=<CITY>, ST=<STATE>, C=<COUNTRY>
Signer #1 certificate SHA-256 digest: <DIGEST1>
Signer #1 certificate SHA-1 digest: <DIGEST2>
Signer #1 certificate MD5 digest: <DIGEST3>

Is there an equivalent to dump the signature on the overall App Bundle once it's been produced?

I tried using jarsigner, but ended up with hundreds of lines of output.

> jarsigner -verbose -verify -certs my-signed-binary.aab

...

smk       12 Wed Dec 31 16:00:00 PST 1969 base/assets.pb

      >>> Signer
      X.509, CN=<NAME>, OU=<GROUP>, O=<ORGANIZATION>, L=<CITY>, ST=<STATE>, C=<COUNTRY> (myapp)
      [certificate is valid from 5/31/13 1:27 PM to 10/16/40 1:27 PM]

smk       85 Wed Dec 31 16:00:00 PST 1969 base/native.pb

      >>> Signer
      X.509, CN=<NAME>, OU=<GROUP>, O=<ORGANIZATION>, L=<CITY>, ST=<STATE>, C=<COUNTRY> (myapp)
      [certificate is valid from 5/31/13 1:27 PM to 10/16/40 1:27 PM]

smk   2075002 Wed Dec 31 16:00:00 PST 1969 base/resources.pb

      >>> Signer
      X.509, CN=<NAME>, OU=<GROUP>, O=<ORGANIZATION>, L=<CITY>, ST=<STATE>, C=<COUNTRY> (myapp)
      [certificate is valid from 5/31/13 1:27 PM to 10/16/40 1:27 PM]

      542451 Tue Jan 01 00:00:00 PST 1980 META-INF/MYAPP.SF
        1390 Tue Jan 01 00:00:00 PST 1980 META-INF/MYAPP.RSA
s k   542352 Tue Jan 01 00:00:00 PST 1980 META-INF/MANIFEST.MF

      >>> Signer
      X.509, CN=<NAME>, OU=<GROUP>, O=<ORGANIZATION>, L=<CITY>, ST=<STATE>, C=<COUNTRY> (myapp)
      [certificate is valid from 5/31/13 1:27 PM to 10/16/40 1:27 PM]


  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

- Signed by "CN=<NAME>, OU=<GROUP>, O=<ORGANIZATION>, L=<CITY>, ST=<STATE>, C=<COUNTRY>"
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withRSA, 2048-bit key

jar verified.

Is the very last part of this ("Signed by...") the signature of the overall App Bundle? Is there an easier way to get the signature of the App Bundle than hacking this output with sed?

Answer 1

I used keytool and I think it produces correct results

keytool -printcert -jarfile my-signed-binary.aab