How can I verify the SHA256 Fingerprint of APK?

1.9K    Asked by ankur_3579 in Cyber Security , Asked on Feb 8, 2022

 I have downloaded the signal app from https://signal.org/android/apk/. To verify the download, there is a fingerprint provided. But how can I verify this fingerprint with the file? I know that I can use sha256sum to verify a hash, but do I need a certificate or something similar for a fingerprint? 

Answered by Al German

You've missed a key word in the download page: You can verify the signing certificate on the APK matches this SHA256 fingerprint

(emphasis mine) APK files are just ZIP files in reality, so open it up with whatever archive tool you want (I use 7zip) and extract META-INFCERT.RSA from it. You can then verify that the certificate fingerprint matches what is written on the site. Note that this isn't the same as the hash of the whole certificate either! You'll need to use keytool to check it. The keytool binary is included in the Java JDK (usually in the %ProgramFiles%Javajdk_in directory), and can be used as follows:

keytool -printcert -file X:PathToCERT.RSA
Output looks like this:
Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 16:24:42 BST 2010 until: Tue May 16 16:24:42 BST 2045
Certificate fingerprints:
         MD5: D9:0D:B3:64:E3:2F:A3:A7:BD:A4:C2:90:FB:65:E3:10
         SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
         SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
         Signature algorithm name: SHA1withRSA

         Version: 3

You can see that the SHA256 fingerprint matches what we saw on the site. Once you've verified this you can go ahead and install the APK onto your Android device. Since you've verified that the signing certificate inside the APK matches the one that Signal expects you to see, you can then rely upon the Android operating system to validate that the APK is properly signed - it won't allow you to load it otherwise.



Your Answer

Answers (2)

To verify the SHA256 fingerprint of an APK file, you can follow these steps:

Download the APK file that you want to verify.

Get the SHA256 hash of the APK file. You can do this using various tools depending on your operating system.

On Windows:

Open a Command Prompt.

Navigate to the directory where your APK file is located.

Run the following command:

  certutil -hashfile your_apk_file.apk SHA256
  Replace your_apk_file.apk with the actual file name of your APK.On macOS and Linux:Open a Terminal.

Navigate to the directory where your APK file is located.

Run the following command:

  shasum -a 256 your_apk_file.apkReplace your_apk_file.apk with the actual file name of your APK.Using OpenSSL (cross-platform):

Open a Terminal or Command Prompt.

Navigate to the directory where your APK file is located.

  Run the following command:openssl dgst -sha256 your_apk_file.apk

Replace your_apk_file.apk with the actual file name of your APK.

  Compare the SHA256 Hash:

After running one of the above commands, you will get a SHA256 hash value. Compare this value with the SHA256 hash provided by the source from where you downloaded the APK. If the values match, the APK file is verified.

If you need any further assistance with these steps, please let me know!

5 Months

To verify the SHA256 fingerprint of an APK file, you can follow these steps:

Download the APK file that you want to verify.

Get the SHA256 hash of the APK file. You can do this using various tools depending on your operating system.

On Windows:

Open a Command Prompt.

Navigate to the directory where your APK file is located.

Run the following command:

  certutil -hashfile your_apk_file.apk SHA256
  Replace your_apk_file.apk with the actual file name of your APK.On macOS and Linux:Open a Terminal.

Navigate to the directory where your APK file is located.

Run the following command:

  shasum -a 256 your_apk_file.apkReplace your_apk_file.apk with the actual file name of your APK.Using OpenSSL (cross-platform):

Open a Terminal or Command Prompt.

Navigate to the directory where your APK file is located.

  Run the following command:openssl dgst -sha256 your_apk_file.apk

Replace your_apk_file.apk with the actual file name of your APK.

  Compare the SHA256 Hash:

After running one of the above commands, you will get a SHA256 hash value. Compare this value with the SHA256 hash provided by the source from where you downloaded the APK. If the values match, the APK file is verified.

If you need any further assistance with these steps, please let me know!

5 Months

Interviews

Parent Categories