Getting certificate details from an apk

Question

How do I go about getting the details of the certificate an apk was signed with. I have a bunch of apks signed with different certificates and I am trying to group them based on their certificate.

I can get the certificate expiry details using the jarsigner and complete my task but I was curious if I can get any more details or extract the public key ( I believe it stored in META-INF/cert.RSA but it's not readable )

You can do it [runtime](http://stackoverflow.com/a/7632973/967142) by extracting the X509Certificate from the app(s) - should also give you the public key I assume. — Jens, Jul 06 '12 at 11:41
I would like to do it without code ( Please don't hurt me stackoverflow ) — Ravi Vyas, Jul 06 '12 at 11:52
possible duplicate of [How to view the identity of person who signed the apk on Android device?](http://stackoverflow.com/questions/4324120/how-to-view-the-identity-of-person-who-signed-the-apk-on-android-device) — Victor Ronin, Apr 19 '13 at 20:51

score 60 · Accepted Answer · answered Jul 08 '12 at 15:51

60

Try the following:

openssl pkcs7 -inform DER -in CERT.RSA -noout -print_certs -text

answered Jul 08 '12 at 15:51

Yury

19,498
7
52
79

10

You can get some info also with java's `keytool`: `keytool -printcert -file CERT.RSA`, but `openssl` is more verbose, that's why I prefer it. – pevik Jul 01 '14 at 22:09
Thank you. Out of curiosity, which part of the output is the fingerprint? I tried this with the Signal APK (https://signal.org/android/apk/) by extracting META-INF/CERTIFIC.RSA but cannot find a value in the output that matches the Signal fingerprint listed on their site. – iangetz Jan 10 '21 at 20:50
1

@iangetz see this question: https://stackoverflow.com/questions/54782328/apksigner-does-not-verify-signature – Yury Jan 12 '21 at 09:21

score 45 · Answer 2 · edited May 03 '21 at 09:58

45

unzip -p Name-of-apk.apk META-INF/CERT.RSA | keytool -printcert is what I used .

It produces information such as the owner, issuer, serial number, valid through, certificate fingerprints, signature algorithms and version.

edited May 03 '21 at 09:58

Paresh Mangukiya

14,668
7
90
90

answered Aug 13 '14 at 11:55

diptia

1,867
20
20

score 24 · Answer 3 · answered Nov 04 '14 at 08:17

24

Based on the existing answers, here's the command line for on-the-fly usage of openssl (unzip & pipe the cert instead of defining an -infile option):

unzip -p App.apk META-INF/CERT.RSA |openssl pkcs7 -inform DER -noout -print_certs -text

answered Nov 04 '14 at 08:17

eyecatchUp

8,385
4
48
61

there is no SHA1 – HendraWD Sep 18 '17 at 08:04

score 24 · Answer 4 · edited Oct 22 '19 at 06:20

24

The easiest of all:

keytool -printcert -jarfile file.apk

This also works for Android App Bundles (.aab)

edited Oct 22 '19 at 06:20

childno͡.de

4,416
4
25
52

answered Apr 09 '19 at 00:57

Randy Sugianto 'Yuku'

64,635
54
168
216

I have been using this command since long time now. Recently I have noticed that `keytool` has stopped showing MD5 in output. Any guesses why is it so ? Tried searching a lot but no success. – v1h5 Jun 25 '19 at 11:18
Add -v to get MD5 as well. – Randy Sugianto 'Yuku' Jun 25 '19 at 18:32
same output. no MD5 visible. :( This is so strange. Earlier I used to get MD5 as well. I am simply clueless about why this is happening now. – v1h5 Jun 26 '19 at 06:31
I also tried asking question regarding this but again no success. https://stackoverflow.com/questions/55336382/md5-missing-from-keytool-command-when-fired-for-apk/ – v1h5 Jun 26 '19 at 06:33

score 14 · Answer 5 · answered May 30 '17 at 14:33

14

without unpacking you can use ApkSigner from Android SDK and following:

apksigner.jar verify --print-certs myApplication.apk

answered May 30 '17 at 14:33

Ewoks

11,626
6
53
65

4

Great answer. Note that starting from Android 7, a new signing scheme was introduced (V2) that will produce APK files without CERT.RSA. So the old methods (that use openssl / keytool) will not work. (see: https://source.android.com/security/apksigning/v2 ) – David Lev Feb 06 '18 at 09:48
1

Also be aware that you have to run it from your tools lib dir: java -jar ~/android-sdk/build-tools/28.0.0-rc1/lib/apksigner.jar – kenyee Jun 04 '18 at 15:13
@DavidLev So, this command gives us the value we can compare, right? But I think I'm a bit lost.. What should I do with this value with the resulting byte[] value from "msgDigest.digest(sigs[0].toByteArray())"?. – Jenix May 29 '20 at 16:45

Getting certificate details from an apk

5 Answers5

Linked