I have a library of MD5 hashes of public keys used to sign various jars, and a mapping to their respective keystores which we use to sign different APKs. What I'd like to be able to do is identify which keystore was used to sign an APK, but without using trial and error. (Also, sadly, many of our keys share similar or identical DNs.)

My solution, because I know the META-INF/FOO.RSA (or FOO.DSA) contains the certificate, was to extract the certificate from the APK's RSA file and directly calculate the MD5 hash. (I know the certificate is there because it is accessible to a running android application, and the jarsigner documentation tells me it is there.)

But I can't find any tool that gives me the actual bytes of the certificate. I can get the DN and the certificate metadata when I use jarsigner -verbose -verify -certs my.apk, but that doesn't give me the bytes.

Extract the JAR then use 'openssl' to output the certificate:

So assuming 'foo.jar' is in your current directory, do something like:

mkdir temp
cd temp
jar -xvf ../foo.jar
cd META-INF
openssl pkcs7 -in FOO.RSA -print_certs -inform DER -out foo.cer

Hexdump FOO.RSA. The last n bytes are the signature itself, where n depends on the key length (e.g., 1024 bit RSA). If you sign something twice with the same key, you can diff the .RSA files and see that only the last n bytes change; the static part of the file is the cert and the bits that change are the signature on the hash of FOO.sf. There may be a delimiter between the cert and signature that you'd also have to remove.