Как проверить sha256 в android устройствах

How to verify SHA256 fingerprint of APK

I have downloaded the signal app from https://signal.org/android/apk/. To verify the download, there is a fingerprint provided. But how can I verify this fingerprint with the file? I know that I can use sha256sum to verify a hash, but I guess for a fingerprint I need a certificate or something similar?

135k 43 43 gold badges 306 306 silver badges 381 381 bronze badges
asked Feb 1, 2018 at 21:32
229 1 1 gold badge 2 2 silver badges 10 10 bronze badges
Fingerprint is just another name for the hash
Feb 1, 2018 at 21:45

no, hash of download looks like 0fe5f808b4827254543de92f524af6cfba1e3142a5823f62966d325a9e725016 fingerprint on website is 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0 EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26

Feb 1, 2018 at 22:01

4 Answers 4

You’ve missed a key word in the download page:

You can verify the signing certificate on the APK matches this SHA256 fingerprint

APK files are just ZIP files in reality, so open it up with whatever archive tool you want (I use 7zip) and extract META-INF\CERT.RSA from it. You can then verify that the certificate fingerprint matches what is written on the site. Note that this isn’t the same as the hash of the whole certificate either! You’ll need to use keytool to check it.

The keytool binary is included in the Java JDK (usually in the %ProgramFiles%\Java\jdk_\bin\ directory), and can be used as follows:

keytool -printcert -file X:\Path\To\CERT.RSA 

Output looks like this:

Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Serial number: 4bfbebba Valid from: Tue May 25 16:24:42 BST 2010 until: Tue May 16 16:24:42 BST 2045 Certificate fingerprints: MD5: D9:0D:B3:64:E3:2F:A3:A7:BD:A4:C2:90:FB:65:E3:10 SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26 Signature algorithm name: SHA1withRSA Version: 3 

You can see that the SHA256 fingerprint matches what we saw on the site.

Once you’ve verified this you can go ahead and install the APK onto your Android device. Since you’ve verified that the signing certificate inside the APK matches the one that Signal expects you to see, you can then rely upon the Android operating system to validate that the APK is properly signed — it won’t allow you to load it otherwise.

answered Feb 1, 2018 at 23:05
Polynomial Polynomial
135k 43 43 gold badges 306 306 silver badges 381 381 bronze badges

The fingerprints are hashes of the cert, but the META-INF/signer. entry/file is not just the cert — it is a PKCS7 SignedData detached signature containing the cert chain, and a PKCS7 SignedData containing a cert chain is one of the things ( CertificateFactory and) keytool can read, but of course hash of the PKCS7 differs from hash of the cert

Jan 6, 2019 at 8:38

Just verifying the certificate is IMHO not enough on Android as by definition self-signed certificates are used. If you can trust a certificate is therefore a difficult question. The only way is to check the other apps that have been signed using the same certificate. The only way I know to do so is to use PlayStore crwaling service androidobservatory.org. It has an API for checking which apps have been signed by the same certificate based on the SHA-1 fingerprint of the certificate: androidobservatory.org/cert/…

Nov 1, 2019 at 8:17

The correct way to verify an APK file is to use apksigner from Android SDK.

In difference to the other answers here that base on keytool , apksigner has two major advantages:

1. It actually verifies that that the signature is correct and the APK has not been modified
2. It does not rely on the old APK signature scheme v1 (also known as «JAR signature»). Instead it also can process APKs that has been signed using the APK signature scheme v2 and v3 (there are already apps available that doen’t have an v1 signature at all, therefore those apps can’t be checked using keytool .

apksigner is part of the Android build tools, therefore you may find multiple versions installed, one for each build-tools version installed.

One example path within the Android SDK to apksigner.bat / apksigner.sh is:

android-sdk/build-tools/29.0.2/apksigner 

Execute apksigner this way:

apksigner verify --verbose --print-certs "Signal-website-universal-release-4.49.13.apk" Verifies Verified using v1 scheme (JAR signing): true Verified using v2 scheme (APK Signature Scheme v2): true Verified using v3 scheme (APK Signature Scheme v3): true Number of signers: 1 Signer #1 certificate DN: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Signer #1 certificate SHA-256 digest: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26 Signer #1 certificate SHA-1 digest: 45989dc9ad8728c2aa9a82fa55503e34a8879374 Signer #1 certificate MD5 digest: d90db364e32fa3a7bda4c290fb65e310 Signer #1 key algorithm: RSA Signer #1 key size (bits): 1024 Signer #1 public key SHA-256 digest: 75336a3cc9edb64202cd77cd4caa6396a9b5fc3c78c58660313c7098ea248a55 Signer #1 public key SHA-1 digest: b46cbed18d6fbbe42045fdb93f5032c943d80266 Signer #1 public key MD5 digest: 0f9c33bbd45db0218c86ac378067538d

Now you have verified the APK, but you still don’t know if you can trust the person/organization who has signed the APK file. This is because on Android APK signatures use by definition self-signed certificates. If you can trust a certificate is therefore a difficult question. The only way is to check the other apps that have been signed using the same certificate.

The APK hoster APKMirror.com allows to search for APKs by their SHA-1 and SHA-256 issuer/certificate hash:

Edit 2021-10-19: androidobservatory.org seem to be out of service

Another service that allows to search for SHA-1 certificate hashes is androidobservatory.org. It has an API for checking which apps have been signed by the same certificate using the certificate SHA-1 digest:

easiest way to get sha256 of mobile apps

To access APIs in Android from Google API console you need to generate an API Key. This same API key can be used for accessing multiple APIs under the same project. To generate an API key you require, SHA1 fingerprint of your keystore. Keystore is basically a place where the private keys for your app are kept. In simple words its a certificate generated by a user or a program, used for signing an Android app.

In Android, there are two types of keystores. A debug keystore and a release keystore. Debug keystore is generated automatically when the Android SDK is installed or run for the first time. Release keystore has to be generated manually by the user for each application before release. As it requires private information such as name, password etc. To obtain an Android SHA1 fingerprint from your desired keystore.

How to get SHA1 and SHA256 in Android Studio 4.2.1

Generally we can SHA certificate fingerprints from Gradle (in right hand side of Android Studio) > Task > Android > signingReport But in Android Studio Latest Update 4.2.1 the Task is not showing option to get the SHA fingerprint So can anyone help me with that?

Parag Wadhwani
asked May 19, 2021 at 9:13
Parag Wadhwani Parag Wadhwani
588 2 2 gold badges 6 6 silver badges 14 14 bronze badges
Maybe this reponse can help you: stackoverflow.com/a/67493124/4871526
May 19, 2021 at 9:46
And you can see this for why not showing: stackoverflow.com/questions/67405791/…
May 19, 2021 at 10:02

3 Answers 3

Option 1 : Just goto gradle option (in the right side) then click on the gradle icon in the left-top side of the popup

then a popup will appears with «Run Anything» name , then type «gradle signingReport» and press enter

Then you will get the SHA in run tab

Option 2 : In Android Studio 4.2.1 the Gradle task list is disabled by default You can re-enable it from: Settings > Experimental > Do not build Gradle task list during Gradle sync.

Is it possible to get the SHA256 of an APK solely through ADB?

I am currently working on a project which will identify malware that are residing on a device. My aim is to make a hash-based detection of Android malware on a device by only accessing the ADB port of the device and getting the SHA-256 (MD5, SHA1, etc could also work) of the base.apk which resides in the app’s data directory. Is there any way to get the hash of an .apk file that is installed on a device using ADB, but without installing another app?

asked Sep 23, 2019 at 12:44
user306715 user306715

1 Answer 1

On most devices the command-line application sha256sum is present which can be used to generate the SHA-256 digest of one or more files.

It can be used via adb so that you can use it to generate a digest of each APK file without having to transfer it to the PC.

answered Sep 23, 2019 at 16:49
19.5k 6 6 gold badges 46 46 silver badges 64 64 bronze badges

You must log in to answer this question.

The Overflow Blog

Related

Hot Network Questions

Subscribe to RSS

Question feed

To subscribe to this RSS feed, copy and paste this URL into your RSS reader.

Site design / logo © 2024 Stack Exchange Inc; user contributions licensed under CC BY-SA . rev 2024.1.22.3688