Как проверить sha256 в android устройствах
Перейти к содержимому

Как проверить sha256 в android устройствах

  • автор:

Как проверить sha256 в android устройствах

AFV (Android File Verifier)
версия: 2.7

Последнее обновление программы в шапке: 15.07.2017

Прикрепленное изображение

Прикрепленное изображение

Прикрепленное изображение

Краткое описание:
Подсчет MD5/SHA1 и проверка файлов на наличие ошибок.

Инструмент для проверки файлов на целостность.

* Подсчет контрольной суммы MD5/SHA1 (также поддерживается SHA-224, SHA-256, SHA-384, SHA-512)
* Проверка подписанных файлов (.jar, .apk, .zip)
* Проверка папки резервного копирования Nandroid (ClockworkMod, Amon_RA, TWRP)

Как пользоваться:
* На главном экране, нажмите кнопку «Выбрать файл», чтобы войти в файловый менеджер
* Самая верхний значок со стрелкой поднимет вас на уровень выше
* Нажмите и удерживайте палец на файле, чтобы просмотреть доступные функции:
— Подсчет MD5
— Подсчет SHA1
— Проверка Jar
— Проверка Nandroid
— Подсчет SHA224
— Подсчет SHA256
— Подсчет SHA384
— Подсчет SHA512
— Md5sum (Проверка файла .md5)

easiest way to get sha256 of mobile apps

To access APIs in Android from Google API console you need to generate an API Key. This same API key can be used for accessing multiple APIs under the same project. To generate an API key you require, SHA1 fingerprint of your keystore. Keystore is basically a place where the private keys for your app are kept. In simple words its a certificate generated by a user or a program, used for signing an Android app.

In Android, there are two types of keystores. A debug keystore and a release keystore. Debug keystore is generated automatically when the Android SDK is installed or run for the first time. Release keystore has to be generated manually by the user for each application before release. As it requires private information such as name, password etc. To obtain an Android SHA1 fingerprint from your desired keystore.

How to verify SHA256 fingerprint of APK

I have downloaded the signal app from https://signal.org/android/apk/. To verify the download, there is a fingerprint provided. But how can I verify this fingerprint with the file? I know that I can use sha256sum to verify a hash, but I guess for a fingerprint I need a certificate or something similar?

4 Answers 4

You’ve missed a key word in the download page:

You can verify the signing certificate on the APK matches this SHA256 fingerprint

APK files are just ZIP files in reality, so open it up with whatever archive tool you want (I use 7zip) and extract META-INF\CERT.RSA from it. You can then verify that the certificate fingerprint matches what is written on the site. Note that this isn’t the same as the hash of the whole certificate either! You’ll need to use keytool to check it.

The keytool binary is included in the Java JDK (usually in the %ProgramFiles%\Java\jdk_<version>\bin\ directory), and can be used as follows:

Output looks like this:

You can see that the SHA256 fingerprint matches what we saw on the site.

Once you’ve verified this you can go ahead and install the APK onto your Android device. Since you’ve verified that the signing certificate inside the APK matches the one that Signal expects you to see, you can then rely upon the Android operating system to validate that the APK is properly signed — it won’t allow you to load it otherwise.

The correct way to verify an APK file is to use apksigner from Android SDK.

In difference to the other answers here that base on keytool , apksigner has two major advantages:

  1. It actually verifies that that the signature is correct and the APK has not been modified
  2. It does not rely on the old APK signature scheme v1 (also known as "JAR signature"). Instead it also can process APKs that has been signed using the APK signature scheme v2 and v3 (there are already apps available that doen’t have an v1 signature at all, therefore those apps can’t be checked using keytool .

apksigner is part of the Android build tools, therefore you may find multiple versions installed, one for each build-tools version installed.

One example path within the Android SDK to apksigner.bat / apksigner.sh is:

Execute apksigner this way:

Now you have verified the APK, but you still don’t know if you can trust the person/organization who has signed the APK file. This is because on Android APK signatures use by definition self-signed certificates. If you can trust a certificate is therefore a difficult question. The only way is to check the other apps that have been signed using the same certificate.

nolanlawson / how_to_check_signal_apk.md

To verify the SHA256 fingerprint of a Signal APK you downloaded from their website, use apksigner on the command line, like so:

How to check grep command in windows ?
I am trying findstr SHA-256 its not working
I am unable to verify my apk on windows. Can you help?

In case someone is looking for apksigner, it is part of «build-tools» which I acquired on Linux using the following:

  1. download commandlinetools-linux-8092744_latest.zip from https://developer.android.com/studio#downloads
  2. ./bin/sdkmanager —sdk_root=/tmp/android_sdk «build-tools;29.0.3»
  3. /tmp/android_sdk/build-tools/29.0.3/apksigner verify —print-certs /mnt/tmp/Signal-Android-website-prod-universal-release-5.36.3

There were many «WARNING» messages, but if you look at the top of the response you will see «Signer #1 certificate» values.

Thank you for this! However, I have a slightly improved copy-and-paste-able version:

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *