Skip to content

Instantly share code, notes, and snippets.

@nolanlawson
Last active June 22, 2023 18:28
Show Gist options
  • Save nolanlawson/aae1735f54012da8538adf05817a01a7 to your computer and use it in GitHub Desktop.
Save nolanlawson/aae1735f54012da8538adf05817a01a7 to your computer and use it in GitHub Desktop.
How to check Signal APK SHA256 fingerprint

To verify the SHA256 fingerprint of a Signal APK you downloaded from their website, use apksigner on the command line, like so:

/path/to/android-sdk/build-tools/26.0.2/apksigner verify --print-certs \
    /path/to/Signal-website-release-4.12.3.apk | grep SHA-256
> dSigner #1 certificate SHA-256 digest: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26
echo 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0 EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26 \
    | sed 's/://g' | sed 's/ //g' | tr '[:upper:]' '[:lower:]'
> 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26
if [[ 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26 = \
    29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26 ]]; \
    then echo strings are equal; \
    fi
> strings are equal
@monikasinghmk
Copy link

How to check grep command in windows ?
I am trying findstr SHA-256 its not working
I am unable to verify my apk on windows. Can you help?

Thanks!

@chaseadam
Copy link

In case someone is looking for apksigner, it is part of "build-tools" which I acquired on Linux using the following:

  1. download commandlinetools-linux-8092744_latest.zip from https://developer.android.com/studio#downloads
  2. ./bin/sdkmanager --sdk_root=/tmp/android_sdk "build-tools;29.0.3"
  3. /tmp/android_sdk/build-tools/29.0.3/apksigner verify --print-certs /mnt/tmp/Signal-Android-website-prod-universal-release-5.36.3
    .apk

There were many "WARNING" messages, but if you look at the top of the response you will see "Signer #1 certificate" values.

@daniel-santos
Copy link

daniel-santos commented Jun 22, 2023

Thank you for this! However, I have a slightly improved copy-and-paste-able version:

read apk; read sig; diff <(apksigner verify --verbose --print-certs $apk | \
grep 'certificate SHA-256 digest: ' | \
sed 's/^.* //g') <(echo "$sig" | tr '[:upper:]' '[:lower:]' |tr -d ' :') && echo "good"

After you press return, copy and paste the file name and hit enter, then that horrible signature they give you (https://signal.org/android/apk/) and press enter again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment