发表新帖
发表新帖

How do I find out which keystore was used to sign an app?

前端 未结
关注
6 1994
无人及你
无人及你 2020-11-22 15:47

I have an app which is signed and several keystore files. I\'d like to update the app, so I need to find out which one of keys was used.

How can I match which keysto

相关标签:
6条回答
  • 情话喂你
    2020-11-22 16:23

    You can use Java 7's Key and Certificate Management Tool keytool to check the signature of a keystore or an APK without extracting any files.

    Signature of an APK

    keytool -printcert -jarfile app.apk

    The output will reveal the signature owner/issuer and MD5, SHA1 and SHA256 fingerprints of the APK file app.apk.

    (Note that the -jarfile argument was introduced in Java 7; see the documentation for more details.)

    Signature of a keystore

    keytool -list -v -keystore release.jks

    The output will reveal the aliases (entries) in the keystore file release.jks, with the certificate fingerprints (MD5, SHA1 and SHA256).

    If the SHA1 fingerprints between the APK and the keystore match, then you can rest assured that that app is signed with the key.

    0 讨论(0)
  • 一整个雨季
    2020-11-22 16:25

    Much easier way to view the signing certificate: 

    jarsigner.exe -verbose -verify -certs myapk.apk

    This will only show the DN, so if you have two certs with the same DN, you might have to compare by fingerprint.

    0 讨论(0)
  • 心在旅途
    2020-11-22 16:28

    You can do this with the apksigner tool that is part of the Android SDK:

    apksigner verify --print-certs my_app.apk

    You can find apksigner inside the build-tools directory. For example: ~/Library/Android/sdk/build-tools/29.0.1/apksigner

    0 讨论(0)
  • 我在风中等你
    2020-11-22 16:31

    There are many freewares to examine the certificates and key stores such as KeyStore Explorer.

    Unzip the apk and open the META-INF/?.RSA file. ? shall be CERT or ANDROID or may be something else. It will display all the information associated with your apk.

    0 讨论(0)
  • 花落未央
    2020-11-22 16:32

    First, unzip the APK and extract the file /META-INF/ANDROID_.RSA (this file may also be CERT.RSA, but there should only be one .RSA file).

    Then issue this command:

    keytool -printcert -file ANDROID_.RSA

    You will get certificate fingerprints like this:

         MD5:  B3:4F:BE:07:AA:78:24:DC:CA:92:36:FF:AE:8C:17:DB
     SHA1: 16:59:E7:E3:0C:AA:7A:0D:F2:0D:05:20:12:A8:85:0B:32:C5:4F:68
     Signature algorithm name: SHA1withRSA

    Then use the keytool again to print out all the aliases of your signing keystore:

    keytool -list -keystore my-signing-key.keystore

    You will get a list of aliases and their certificate fingerprint:

    android_key, Jan 23, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): B3:4F:BE:07:AA:78:24:DC:CA:92:36:FF:AE:8C:17:DB

    Voila! we can now determined the apk has been signed with this keystore, and with the alias 'android_key'.

    Keytool is part of Java, so make sure your PATH has Java installation dir in it.

    0 讨论(0)
  • 孤独总比滥情好
    2020-11-22 16:32

    To build on Paul Lammertsma's answer, this command will print the names and signatures of all APKs in the current dir (I'm using sh because later I need to pipe the output to grep):

    find . -name "*.apk" -exec echo "APK: {}" \; -exec sh -c 'keytool -printcert -jarfile "{}"' \;

    Sample output:

    APK: ./com.google.android.youtube-10.39.54-107954130-minAPI15.apk
Signer #1:

Signature:

Owner: CN=Unknown, OU="Google, Inc", O="Google, Inc", L=Mountain View, ST=CA, C=US
Issuer: CN=Unknown, OU="Google, Inc", O="Google, Inc", L=Mountain View, ST=CA, C=US
Serial number: 4934987e
Valid from: Mon Dec 01 18:07:58 PST 2008 until: Fri Apr 18 19:07:58 PDT 2036
Certificate fingerprints:
         MD5:  D0:46:FC:5D:1F:C3:CD:0E:57:C5:44:40:97:CD:54:49
         SHA1: 24:BB:24:C0:5E:47:E0:AE:FA:68:A5:8A:76:61:79:D9:B6:13:A6:00
         SHA256: 3D:7A:12:23:01:9A:A3:9D:9E:A0:E3:43:6A:B7:C0:89:6B:FB:4F:B6:79:F4:DE:5F:E7:C2:3F:32:6C:8F:99:4A
         Signature algorithm name: MD5withRSA
         Version: 1

APK: ./com.google.android.youtube_10.40.56-108056134_minAPI15_maxAPI22(armeabi-v7a)(480dpi).apk
Signer #1:

Signature:

Owner: CN=Unknown, OU="Google, Inc", O="Google, Inc", L=Mountain View, ST=CA, C=US
Issuer: CN=Unknown, OU="Google, Inc", O="Google, Inc", L=Mountain View, ST=CA, C=US
Serial number: 4934987e
Valid from: Mon Dec 01 18:07:58 PST 2008 until: Fri Apr 18 19:07:58 PDT 2036
Certificate fingerprints:
         MD5:  D0:46:FC:5D:1F:C3:CD:0E:57:C5:44:40:97:CD:54:49
         SHA1: 24:BB:24:C0:5E:47:E0:AE:FA:68:A5:8A:76:61:79:D9:B6:13:A6:00
         SHA256: 3D:7A:12:23:01:9A:A3:9D:9E:A0:E3:43:6A:B7:C0:89:6B:FB:4F:B6:79:F4:DE:5F:E7:C2:3F:32:6C:8F:99:4A
         Signature algorithm name: MD5withRSA
         Version: 1

    Or if you just care about SHA1:

    find . -name "*.apk" -exec echo "APK: {}" \; -exec sh -c 'keytool -printcert -jarfile "{}" | grep SHA1' \;

    Sample output:

    APK: ./com.google.android.youtube-10.39.54-107954130-minAPI15.apk
         SHA1: 24:BB:24:C0:5E:47:E0:AE:FA:68:A5:8A:76:61:79:D9:B6:13:A6:00
APK: ./com.google.android.youtube_10.40.56-108056134_minAPI15_maxAPI22(armeabi-v7a)(480dpi).apk
         SHA1: 24:BB:24:C0:5E:47:E0:AE:FA:68:A5:8A:76:61:79:D9:B6:13:A6:00
    0 讨论(0)
 看不清?
提交回复
热议问题