How to check Signal APK SHA256 fingerprint

how_to_check_signal_apk.md

To verify the SHA256 fingerprint of a Signal APK you downloaded from their website, use apksigner on the command line, like so:

/path/to/android-sdk/build-tools/26.0.2/apksigner verify --print-certs \
    /path/to/Signal-website-release-4.12.3.apk | grep SHA-256
> dSigner #1 certificate SHA-256 digest: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26

echo 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0 EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26 \
    | sed 's/://g' | sed 's/ //g' | tr '[:upper:]' '[:lower:]'
> 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26

if [[ 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26 = \
    29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26 ]]; \
    then echo strings are equal; \
    fi
> strings are equal

In case someone is looking for apksigner, it is part of "build-tools" which I acquired on Linux using the following:

1. download commandlinetools-linux-8092744_latest.zip from https://developer.android.com/studio#downloads
2. ./bin/sdkmanager --sdk_root=/tmp/android_sdk "build-tools;29.0.3"
3. /tmp/android_sdk/build-tools/29.0.3/apksigner verify --print-certs /mnt/tmp/Signal-Android-website-prod-universal-release-5.36.3
   .apk

There were many "WARNING" messages, but if you look at the top of the response you will see "Signer #1 certificate" values.

Thank you for this! However, I have a slightly improved copy-and-paste-able version:

read apk; read sig; diff <(apksigner verify --verbose --print-certs $apk | \
grep 'certificate SHA-256 digest: ' | \
sed 's/^.* //g') <(echo "$sig" | tr '[:upper:]' '[:lower:]' |tr -d ' :') && echo "good"

After you press return, copy and paste the file name and hit enter, then that horrible signature they give you (https://signal.org/android/apk/) and press enter again.