How can I check that an Android apk is signed with a release and not debug cert?
Use this command, (go to java < jdk < bin path in cmd prompt)
$ jarsigner -verify -verbose -certs my_application.apk
If you see "CN=Android Debug", this means the .apk was signed with the debug key generated by the Android SDK (means it is unsigned), otherwise you will find something for CN. For more details see: http://developer.android.com/guide/publishing/app-signing.html
this means the .apk was signed with the debug key generated by the Android SDK (means it is unsigned)
- this does not means it is unsigned. It means what you just wrote - it is signed with debug key. –
Interatomic jarsigner -verify -verbose -certs myapp.apk | grep CN= | less
and we should not see "CN=Android Debug". –
Farris jarsigner -verify -keystore my_prod_keystore.jks -verbose -certs my_application.apk
–
Kittiekittiwake Use console command:
apksigner verify --print-certs application-development-release.apk
You could find apksigner in ../sdk/build-tools/24.0.3/apksigner.bat. Only for build tools v. 24.0.3 and higher.
Also read google docs: https://developer.android.com/studio/command-line/apksigner.html
apksigner
in `%LOCALAPPDATA%\Android\sdk\build-tools\25.0.3` (and every other build tools version I had installed) –
Alvin apksigner
is missing in version 26.0.0
of build-tools. It is tracked in issuetracker.google.com/issues/62696222 and supposed to be fixed in the next version. The workaround until then is to use apksigner
from 25.0.3
. –
Papilloma apksigner
is included in version 26.0.1
–
Kansu ./apksigner verify --print-certs -v ~/Downloads/MyAppHere.apk
–
Henchman jarsigner
and keytool
will incorrectly report that the apk is Not a signed jar file
but apksigner
gets it right every time. –
Albertalberta The easiest of all:
keytool -printcert -jarfile file.apk
This uses the Java built-in keytool app and does not require extraction or any build-tools installation.
keytool
immediately, check this and maybe try adding %JAVA_HOME%\bin
to the path –
Boast list
or printcert
. –
Dessert Use this command : (Jarsigner is in your Java bin folder goto java->jdk->bin path in cmd prompt)
$ jarsigner -verify my_signed.apk
If the .apk is signed properly, Jarsigner prints "jar verified"
Run this command in Terminal - if you have Android Studio.
$ /Applications/Android\ Studio.app/Contents/jre/Contents/Home/bin/keytool -printcert -jarfile example.apk
Not a signed jar file
Using keytool
or jarsigner
may not work for you. You need to first understand how signing works. See here.
If your min API is lower than 24, v1 signing will be included in apk (inside META_INF
). And because of that, these two tools will "poop out" your cert keys.
If using min API 24 or higher, v1 signing will be excluded (unless you enable it on your own in build.gradle
). In this case keytool
or jarsigner
don't work. They will output Not a signed jar file
or jar is unsigned
. To verify v2+ signature, you should use apksigner
instead.
- unzip apk
keytool -printcert -file ANDROID_.RSA or keytool -list -printcert -jarfile app.apk
to obtain the hash md5
keytool -list -v -keystore clave-release.jks
- compare the md5
© 2022 - 2024 — McMap. All rights reserved.
source thatfile
. Comments in the script explain how to run it. – Aegeanjarsigner
andkeytool
will sometimes incorrectly report that the apk isNot a signed jar file
when it's signed with the android debug key, whereasapksigner
will report the android debug key correctly. – Albertalbertaapksigner
to verify the signature of an APK if you want to be sure that the result is correct. Starting from Android 7.0, new signature schemes have been introduced that cannot be verified usingkeytool
. And as the Android build tools will use these new signature schemes exclusively depending on an app'sminSdk
,keytool
will show invalid information for such apps. – Rutty