How to print/verify the signatures (and/or certificates) of an Android package (APK file)

First extract the contents of the APK. This is easy since an APK is essentially a ZIP archive. If you don't know any better way, you can always rename the APK to a ZIP extension and extract it's contents the same way you'd extract a ZIP. On a Unix/Linux box you can use unzip:
mkdir Example
cd Example
unzip ../Example.apk

APK files used to contain a self-signed certificate and a signature list of most included files. Both are in the META-INF subdirectory of the package.

To print out the contents of the certificate you can use openssl:
openssl pkcs7 -inform DER -in META-INF/CERT.RSA -noout -print_certs -text
Or keytool from the Oracle JDK:
keytool -printcert -file META-INF/CERT.RSA

To verify each signature in the package, use jarsigner from the Oracle JDK:
jarsigner -verify -certs -verbose ../Example.apk

Or to dump the certificates from all APKs in a directory tree (the following code prints path, app label and certificates):
aapt_bin="$(which aapt)"
[ -n "$aapt_bin" -a -x "$aapt_bin" ] && find . -type f -iname '*.apk' -print0 | while IFS="" read -r -d "" j; do IFS="$(printf '\nX')"; IFS="${IFS%X}"; label="$("$aapt_bin" d badging "$j" | grep '^application:' | cut -d\' -f2)"; for f in $(jar tf "$j" | egrep '^META-INF/.*\.[DR]SA$'); do echo "********** ${j}${label:+: $label} **********"; unzip -cqq "$j" "$f" | openssl pkcs7 -inform DER -noout -print_certs -text; done; done

You can get some further insight by reading Chris Stratton's answer to this question.

Syndicate content