Validating side-loaded APKs
Posted on Thu 13 August 2015 in android
I was desperate to try Hangouts 4.0 for Android, but suspicious of side-loading. I wanted to verify the APK signature cert had Google's fingerprint of
38:91:8A:45:3D:07:19:93:54:F8:B1:9A:F0:5E:C6:56:2C:ED:57:88
Here's how to check the signatures on an APK, as usual, in shell functions (JDK needed)
apk-check () {
jarsigner -verify -verbose -certs $1
}
apk-print-cert () {
keytool -list -printcert -jarfile $1
}
# usage
# make sure it's verified
$ apk-check *apk|grep verified
s = signature was verified
jar verified.
# show cert identifier
$ apk-check *apk|grep X.509|head -n2
X.509, CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
X.509, CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
$ apk-print-cert *apk|grep SHA1
SHA1: 38:91:8A:45:3D:07:19:93:54:F8:B1:9A:F0:5E:C6:56:2C:ED:57:88