How do I verify that an Android apk is signed with a release certificate?
Asked Answered
H

8

326

How can I check that an Android apk is signed with a release and not debug cert?

Holding answered 18/8, 2011 at 8:41 Comment(7)
I wrote a script that will validate an apk against a keystore.Aegean
accept answer if you have got yours.Cryolite
@Aegean How can I run your script in Mac?Canaster
@Aegean How can I run your script?Barkley
@Barkley It's a bash script that creates a new bash function. follow the link and paste it into a file then source thatfile. Comments in the script explain how to run it.Aegean
@PavelGP 's answer is the best one for dealing with apks. jarsigner and keytool will sometimes incorrectly report that the apk is Not a signed jar file when it's signed with the android debug key, whereas apksigner will report the android debug key correctly.Albertalberta
Nowadays, you must use apksigner to verify the signature of an APK if you want to be sure that the result is correct. Starting from Android 7.0, new signature schemes have been introduced that cannot be verified using keytool. And as the Android build tools will use these new signature schemes exclusively depending on an app's minSdk, keytool will show invalid information for such apps.Rutty
C
448

Use this command, (go to java < jdk < bin path in cmd prompt)

$ jarsigner -verify -verbose -certs my_application.apk

If you see "CN=Android Debug", this means the .apk was signed with the debug key generated by the Android SDK (means it is unsigned), otherwise you will find something for CN. For more details see: http://developer.android.com/guide/publishing/app-signing.html

Curren answered 18/8, 2011 at 8:46 Comment(8)
I got the message as jar verified at the end of the command execution for 2 diff apk files.so got confused. but as it gives CN="android debug" for 1 apk and different for other apk .got to knw which 1 is signed .Thanks .Bravo
@Bravo ALL apps need to be signed before installing on a device, using either debug key or real key.Virago
How does this verify the signature? Will it use the system's trusted CAs? Or this is only a tool to check the integrity of the jar files? Thank youSwelling
this means the .apk was signed with the debug key generated by the Android SDK (means it is unsigned) - this does not means it is unsigned. It means what you just wrote - it is signed with debug key.Interatomic
How could we check that it was signed with the same exact certificate file, and not just one that happens to have the same values for organisation, location, etc.. ?Stahl
Thanks. So jarsigner -verify -verbose -certs myapp.apk | grep CN= | less and we should not see "CN=Android Debug".Farris
hello i got message jar verified is signed or not.Pastoral
To use something other than the debug keystore, use jarsigner -verify -keystore my_prod_keystore.jks -verbose -certs my_application.apkKittiekittiwake
R
151

Use console command:

apksigner verify --print-certs application-development-release.apk

You could find apksigner in ../sdk/build-tools/24.0.3/apksigner.bat. Only for build tools v. 24.0.3 and higher.

Also read google docs: https://developer.android.com/studio/command-line/apksigner.html

Rhondarhondda answered 15/12, 2016 at 13:8 Comment(7)
I found apksigner in `%LOCALAPPDATA%\Android\sdk\build-tools\25.0.3` (and every other build tools version I had installed)Alvin
Note that apksigner is missing in version 26.0.0 of build-tools. It is tracked in issuetracker.google.com/issues/62696222 and supposed to be fixed in the next version. The workaround until then is to use apksigner from 25.0.3.Papilloma
Update: apksigner is included in version 26.0.1Kansu
Update: APKSigner is also in 26.0.2, 26.0.3, 27.0.0, 27.0.1, 27.0.2 I believe you will find it in all future releases :)Jessiajessica
for verbose output use -v : ./apksigner verify --print-certs -v ~/Downloads/MyAppHere.apkHenchman
This is the best option for apks, as sometimes both the jarsigner and keytool will incorrectly report that the apk is Not a signed jar file but apksigner gets it right every time.Albertalberta
getting error like file not foundPaton
J
85

The easiest of all:

keytool -printcert -jarfile file.apk

This uses the Java built-in keytool app and does not require extraction or any build-tools installation.

Janey answered 9/4, 2019 at 0:58 Comment(3)
For anyone who can't run keytool immediately, check this and maybe try adding %JAVA_HOME%\bin to the pathBoast
We can check for the app bundle using the same command.Elihu
You can use only one command at once, list or printcert.Dessert
D
64

Use this command : (Jarsigner is in your Java bin folder goto java->jdk->bin path in cmd prompt)

$ jarsigner -verify my_signed.apk

If the .apk is signed properly, Jarsigner prints "jar verified"

Dowable answered 18/8, 2011 at 8:50 Comment(2)
This is not good enough since both debug and release apks are signed will give "jar verified". Check the details of @Anass's answer.Farris
I tried exactly this command and it verified. Then as an experiment I went into the APK and deleted literally every file except the sig files and the manifest, and it still verified. So something is very wrong here. However I have yet to try @Anass's answer.Phlegethon
D
4

Run this command in Terminal - if you have Android Studio.

$ /Applications/Android\ Studio.app/Contents/jre/Contents/Home/bin/keytool -printcert -jarfile example.apk
Not a signed jar file
Depressive answered 1/10, 2021 at 15:25 Comment(0)
F
3

Using keytool or jarsigner may not work for you. You need to first understand how signing works. See here.

If your min API is lower than 24, v1 signing will be included in apk (inside META_INF). And because of that, these two tools will "poop out" your cert keys.

If using min API 24 or higher, v1 signing will be excluded (unless you enable it on your own in build.gradle). In this case keytool or jarsigner don't work. They will output Not a signed jar file or jar is unsigned. To verify v2+ signature, you should use apksigner instead.

Fino answered 29/1, 2023 at 19:42 Comment(0)
O
2
    1. unzip apk
    1. keytool -printcert -file ANDROID_.RSA or keytool -list -printcert -jarfile app.apk to obtain the hash md5
  • keytool -list -v -keystore clave-release.jks
  • compare the md5

https://www.eovao.com/en/a/signature%20apk%20android/3/how-to-verify-signature-of-.apk-android-archive

Olenolin answered 22/4, 2020 at 8:35 Comment(0)
D
0
keytool -printcert -jarfile base.apk
Duumvir answered 26/11, 2020 at 13:26 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.