261

How can I check that an Android apk is signed with a release and not debug cert?

JohnnyLambada
  • 11,732
  • 10
  • 52
  • 59
Vadivelan
  • 2,715
  • 2
  • 13
  • 6
  • 6
    I wrote [a script](https://raw.githubusercontent.com/johnnylambada/robospanner/master/apk/apk-validate) that will validate an apk against a keystore. – JohnnyLambada May 09 '14 at 20:53
  • accept answer if you have got yours. – RPB Apr 21 '15 at 10:44
  • @JohnnyLambada How can I run your script in Mac? – Aaron Azhari May 11 '15 at 14:44
  • 1
    @JohnnyLambada How can I run your script? – sunil Aug 11 '15 at 18:14
  • @sunil It's a bash script that creates a new bash function. follow the link and paste it into a file then `source thatfile`. Comments in the script explain how to run it. – JohnnyLambada Aug 18 '15 at 23:20
  • @PavelGP 's answer is the best one for dealing with apks. `jarsigner` and `keytool` will sometimes incorrectly report that the apk is `Not a signed jar file` when it's signed with the android debug key, whereas `apksigner` will report the android debug key correctly. – Nelson Ramirez Feb 01 '21 at 21:50

6 Answers6

399

Use this command, (go to java < jdk < bin path in cmd prompt)

$ jarsigner -verify -verbose -certs my_application.apk

If you see "CN=Android Debug", this means the .apk was signed with the debug key generated by the Android SDK (means it is unsigned), otherwise you will find something for CN. For more details see: http://developer.android.com/guide/publishing/app-signing.html

Eugene
  • 1,895
  • 1
  • 14
  • 35
Anass
  • 5,682
  • 6
  • 25
  • 35
  • 1
    I got the message as jar verified at the end of the command execution for 2 diff apk files.so got confused. but as it gives CN="android debug" for 1 apk and different for other apk .got to knw which 1 is signed .Thanks . – iRunner Oct 04 '12 at 09:34
  • @iRunner ALL apps need to be signed before installing on a device, using either debug key or real key. – Chloe Sep 19 '13 at 14:39
  • 3
    How does this verify the signature? Will it use the system's trusted CAs? Or this is only a tool to check the integrity of the jar files? Thank you – Mostafa Shahverdy Feb 09 '14 at 14:00
  • 3
    `this means the .apk was signed with the debug key generated by the Android SDK (means it is unsigned)` - this does not means it is unsigned. It means what you just wrote - it is signed with debug key. – Dmitry Zaytsev Mar 24 '15 at 15:35
  • 4
    How could we check that it was signed with the same exact certificate file, and not just one that happens to have the same values for organisation, location, etc.. ? – OlivierM May 15 '15 at 19:03
  • 1
    Thanks. So `jarsigner -verify -verbose -certs myapp.apk | grep CN= | less` and we should not see "CN=Android Debug". – rpattabi Apr 30 '16 at 07:30
  • hello i got message **jar verified** is signed or not. – Jigar Fumakiya Oct 14 '18 at 12:41
  • To use something other than the debug keystore, use `jarsigner -verify -keystore my_prod_keystore.jks -verbose -certs my_application.apk` – Rajiv May 13 '21 at 13:38
95

Use console command:

apksigner verify --print-certs application-development-release.apk

You could find apksigner in ../sdk/build-tools/24.0.3/apksigner.bat. Only for build tools v. 24.0.3 and higher.

Also read google docs: https://developer.android.com/studio/command-line/apksigner.html

PavelGP
  • 1,232
  • 11
  • 11
  • 1
    I found `apksigner` in `%LOCALAPPDATA%\Android\sdk\build-tools\25.0.3\` (and every other build tools version I had installed) – Jon May 15 '17 at 20:17
  • 3
    Note that `apksigner` is missing in version `26.0.0` of build-tools. It is tracked in https://issuetracker.google.com/issues/62696222 and supposed to be fixed in the next version. The workaround until then is to use `apksigner` from `25.0.3`. – friederbluemle Jun 29 '17 at 02:50
  • 3
    Update: `apksigner` is included in version `26.0.1` – forresthopkinsa Sep 25 '17 at 18:07
  • Update: APKSigner is also in 26.0.2, 26.0.3, 27.0.0, 27.0.1, 27.0.2 I believe you will find it in all future releases :) – Kirill Vashilo Jan 30 '18 at 10:34
  • 2
    for verbose output use -v : `./apksigner verify --print-certs -v ~/Downloads/MyAppHere.apk` – Tilo Apr 10 '18 at 03:41
  • This is the best option for apks, as sometimes both the `jarsigner` and `keytool` will incorrectly report that the apk is `Not a signed jar file` but `apksigner` gets it right every time. – Nelson Ramirez Feb 01 '21 at 21:46
60

Use this command : (Jarsigner is in your Java bin folder goto java->jdk->bin path in cmd prompt)

$ jarsigner -verify my_signed.apk

If the .apk is signed properly, Jarsigner prints "jar verified"

C. Ross
  • 28,735
  • 39
  • 139
  • 230
Udaykiran
  • 5,705
  • 9
  • 41
  • 75
  • 14
    This is not good enough since both debug and release apks are signed will give "jar verified". Check the details of @Anass's answer. – rpattabi Apr 30 '16 at 07:27
  • I tried exactly this command and it verified. Then as an experiment I went into the APK and deleted literally every file except the sig files and the manifest, and it still verified. So something is very wrong here. However I have yet to try @Anass's answer. – orblivion Dec 24 '18 at 19:58
52

The easiest of all:

keytool -list -printcert -jarfile file.apk

This uses the Java built-in keytool app and does not require extraction or any build-tools installation.

Randy Sugianto 'Yuku'
  • 64,635
  • 54
  • 168
  • 216
  • 1
    For anyone who can't run `keytool` immediately, check [this](https://stackoverflow.com/questions/4830253/where-is-the-keytool-application) and maybe try adding `%JAVA_HOME%\bin` to the path – TT-- May 28 '19 at 19:32
1
    1. unzip apk
    1. keytool -printcert -file ANDROID_.RSA or keytool -list -printcert -jarfile app.apk to obtain the hash md5
  • keytool -list -v -keystore clave-release.jks
  • compare the md5

https://www.eovao.com/en/a/signature%20apk%20android/3/how-to-verify-signature-of-.apk-android-archive

oat
  • 64
  • 3
-3
keytool -printcert -jarfile base.apk
kreker
  • 5,453
  • 4
  • 36
  • 32