Skip to content

Instantly share code, notes, and snippets.

@nolanlawson
Last active June 22, 2023 18:28
Show Gist options
  • Save nolanlawson/aae1735f54012da8538adf05817a01a7 to your computer and use it in GitHub Desktop.
Save nolanlawson/aae1735f54012da8538adf05817a01a7 to your computer and use it in GitHub Desktop.
How to check Signal APK SHA256 fingerprint

To verify the SHA256 fingerprint of a Signal APK you downloaded from their website, use apksigner on the command line, like so:

/path/to/android-sdk/build-tools/26.0.2/apksigner verify --print-certs \
    /path/to/Signal-website-release-4.12.3.apk | grep SHA-256
> dSigner #1 certificate SHA-256 digest: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26
echo 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0 EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26 \
    | sed 's/://g' | sed 's/ //g' | tr '[:upper:]' '[:lower:]'
> 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26
if [[ 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26 = \
    29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26 ]]; \
    then echo strings are equal; \
    fi
> strings are equal
@daniel-santos
Copy link

daniel-santos commented Jun 22, 2023

Thank you for this! However, I have a slightly improved copy-and-paste-able version:

read apk; read sig; diff <(apksigner verify --verbose --print-certs $apk | \
grep 'certificate SHA-256 digest: ' | \
sed 's/^.* //g') <(echo "$sig" | tr '[:upper:]' '[:lower:]' |tr -d ' :') && echo "good"

After you press return, copy and paste the file name and hit enter, then that horrible signature they give you (https://signal.org/android/apk/) and press enter again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment