How to verify SHA256 fingerprint of APK

  • I have downloaded the signal app from https://signal.org/android/apk/. To verify the download, there is a fingerprint provided. But how can I verify this fingerprint with the file? I know that I can use sha256sum to verify a hash, but I guess for a fingerprint I need a certificate or something similar?

    Fingerprint is just another name for the hash

    no, hash of download looks like `0fe5f808b4827254543de92f524af6cfba1e3142a5823f62966d325a9e725016` fingerprint on website is `29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0 EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26`

  • You've missed a key word in the download page:

    You can verify the signing certificate on the APK matches this SHA256 fingerprint

    (emphasis mine)

    APK files are just ZIP files in reality, so open it up with whatever archive tool you want (I use 7zip) and extract META-INF\CERT.RSA from it. You can then verify that the certificate fingerprint matches what is written on the site. Note that this isn't the same as the hash of the whole certificate either! You'll need to use keytool to check it.

    The keytool binary is included in the Java JDK (usually in the %ProgramFiles%\Java\jdk_<version>\bin\ directory), and can be used as follows:

    keytool -printcert -file X:\Path\To\CERT.RSA
    

    Output looks like this:

    Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
    Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
    Serial number: 4bfbebba
    Valid from: Tue May 25 16:24:42 BST 2010 until: Tue May 16 16:24:42 BST 2045
    Certificate fingerprints:
             MD5:  D9:0D:B3:64:E3:2F:A3:A7:BD:A4:C2:90:FB:65:E3:10
             SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
             SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
             Signature algorithm name: SHA1withRSA
             Version: 3
    

    You can see that the SHA256 fingerprint matches what we saw on the site.

    Once you've verified this you can go ahead and install the APK onto your Android device. Since you've verified that the signing certificate inside the APK matches the one that Signal expects you to see, you can then rely upon the Android operating system to validate that the APK is properly signed - it won't allow you to load it otherwise.

    The fingerprints _are_ hashes of the cert, but the `META-INF/signer.{DSA,RSA,EC}` entry/file is not just the cert -- it is a PKCS7 SignedData detached signature _containing_ the cert chain, and a PKCS7 SignedData containing a cert chain is one of the things (`CertificateFactory` and) `keytool` can read, but of course hash of the PKCS7 differs from hash of the cert

    Just verifying the certificate is IMHO not enough on Android as by definition self-signed certificates are used. If you can trust a certificate is therefore a difficult question. The only way is to check the other apps that have been signed using the same certificate. The only way I know to do so is to use PlayStore crwaling service androidobservatory.org. It has an API for checking which apps have been signed by the same certificate based on the SHA-1 fingerprint of the certificate: https://androidobservatory.org/cert/45989DC9AD8728C2AA9A82FA55503E34A8879374

  • The correct way to verify an APK file is to use apksigner from Android SDK.

    In difference to the other answers here that base on keytool, apksigner has two major advantages:

    1. It actually verifies that that the signature is correct and the APK has not been modified
    2. It does not rely on the old APK signature scheme v1 (also known as "JAR signature"). Instead it also can process APKs that has been signed using the APK signature scheme v2 and v3 (there are already apps available that doen't have an v1 signature at all, therefore those apps can't be checked using keytool.

    apksigner is part of the Android build tools, therefore you may find multiple versions installed, one for each build-tools version installed.

    One example path within the Android SDK to apksigner is:

    android-sdk/build-tools/29.0.2/apksigner
    

    Execute apksigner this way:

    apksigner verify --verbose --print-certs "Signal-website-universal-release-4.49.13.apk"
    
    Verifies
    Verified using v1 scheme (JAR signing): true
    Verified using v2 scheme (APK Signature Scheme v2): true
    Verified using v3 scheme (APK Signature Scheme v3): true
    Number of signers: 1
    Signer #1 certificate DN: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
    Signer #1 certificate SHA-256 digest: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26
    Signer #1 certificate SHA-1 digest: 45989dc9ad8728c2aa9a82fa55503e34a8879374
    Signer #1 certificate MD5 digest: d90db364e32fa3a7bda4c290fb65e310
    Signer #1 key algorithm: RSA
    Signer #1 key size (bits): 1024
    Signer #1 public key SHA-256 digest: 75336a3cc9edb64202cd77cd4caa6396a9b5fc3c78c58660313c7098ea248a55
    Signer #1 public key SHA-1 digest: b46cbed18d6fbbe42045fdb93f5032c943d80266
    Signer #1 public key MD5 digest: 0f9c33bbd45db0218c86ac378067538d
    <skipped a lot of warnings>
    

    Now you have verified the APK, but you still don't know if you can trust the person/organization who has signed the APK file. This is because on Android APK signatures use by definition self-signed certificates. If you can trust a certificate is therefore a difficult question. The only way is to check the other apps that have been signed using the same certificate.

    The only way I know to do so is to use PlayStore crawling service androidobservatory.org. It has an API for checking which apps have been signed by the same certificate using the certificate SHA-1 digest:

    https://androidobservatory.org/cert/45989DC9AD8728C2AA9A82FA55503E34A8879374

    On this page you can see all the other APK files on Google Play Store that are signed with the same certificate.

  • The currently working solution is

    $ keytool -printcert -jarfile file.apk
    

    Taken form this thread.

    Works for me with the Signal apk and `openjdk-11-jre-headless` version 11.0.7+10-3~deb10u1 (Debian 10 stable), thanks!

  • you should not open it. It should be used as a command in the terminal, as the provided example

    keytool -printcert -file X:\Path\To\CERT.RSA
    

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM