Menu
What's the easiest way to find signature of an apk file? Please note that I'm not asking about code. I just want to find it from my pc. Signature like this one 975yYkKAQF+KST7g3ASHvHkYopq=
221
APK Signature Scheme v2 is a whole-file signature scheme that increases verification speed and strengthens integrity guarantees by detecting any changes to the protected parts of the APK.
Android Security Verifying App Signature - Tamper Detection We can break this technique into 3 simple steps: Find your developer certificate signature. Embed your signature in a String constant in your app. Check that the signature at runtime matches our embedded developer signature.
APK signing has been a part of Android from the beginning. It is based on signed JAR. For details on using this scheme, see the Android Studio documentation on Signing your app. v1 signatures do not protect some parts of the APK, such as ZIP metadata.
$ $ANDROID_SDK/build-tools/$BUILD_TOOLS_VERSION/apksigner verify --print-certs -v $APK_FILE
Example:
$ /Users/hborders/android/build-tools/29.0.2/apksigner verify --print-certs -v ~/Desktop/my-apk.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Number of signers: 1
Signer #1 certificate DN: CN=Bob Smith, OU=Acme, O=Acme, L=San Francisco, ST=California, C=US
Signer #1 certificate SHA-256 digest: f1f2f3f3f21f26a67s76a6a76a76a76a76a67c78c8c78c709c90c90c09932451
Signer #1 certificate SHA-1 digest: 839103847abdefcbade123713957358920
Signer #1 certificate MD5 digest: 182831983712923f2e2e2f2a2c2fbc25
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 1024
Signer #1 public key SHA-256 digest: 8acaca8cabcaabdadc8cc99cc695ace47aec4c747c746c476cae4657c47c4765
Signer #1 public key SHA-1 digest: b11bca4123bea24befbe5b8be9768ef078
apksigner is part of the Android SDK in the build-tools directory. It's the tool print-apk-signature uses.
80
Signature[] sigs = context.getPackageManager().getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES).signatures;
for (Signature sig : sigs)
{
Trace.i("MyApp", "Signature hashcode : " + sig.hashCode());
}
http://developer.android.com/reference/android/content/pm/PackageManager.html
this might help
First, unzip the APK and extract the file /META-INF/ANDROID_.RSA (this file may also be CERT.RSA, but there should only be one .RSA file).
Then issue this command:
keytool -printcert -file ANDROID_.RSA You will get certificate fingerprints like this:
MD5: B3:4F:BE:07:AA:78:24:DC:CA:92:36:FF:AE:8C:17:DB
SHA1: 16:59:E7:E3:0C:AA:7A:0D:F2:0D:05:20:12:A8:85:0B:32:C5:4F:68
Signature algorithm name: SHA1withRSA
Then use the keytool again to print out all the aliases of your signing keystore:
keytool -list -keystore my-signing-key.keystore You will get a list of aliases and their certificate fingerprint:
android_key, Jan 23, 2010, PrivateKeyEntry, Certificate fingerprint (MD5): B3:4F:BE:07:AA:78:24:DC:CA:92:36:FF:AE:8C:17:DB Voila! we can now determined the apk has been signed with this keystore, and with the alias 'android_key'.
Keytool is part of Java, so make sure your PATH has Java installation dir in it.
How do I find out which keystore was used to sign an app?
27
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
