This is an 2022 update of an older post.
If you own a Android Phone, and you want to use Signal instead of Whatsapp or Telegram for privacy matters, and, for the same privacy matters, you prefer to use open source Android AOSP instead of the commercial Android variant that is enriched spoiled with proprietary Google services, or you don’t have a Google Account on your phone, or you don’t use Google Play but the free F-Droid software-store, there is a solution. You can download the Signal APK from their website.
To verify that the signing certificate on the APK matches the SHA256 fingerprint on the Signal website you can use the following one-liner.
As Matthew (kudos) pointed out, the certification file has a new name in recent Signal APK’s.
So the one-liner changed a bit:
f="Signal-Android-website-prod-universal-release-5.40.4.apk" ; unzip -p "$f" $(unzip -l "$f" | grep '.RSA' | awk '{print $4}') | keytool -printcert
Hopefully this version will be future proof as the one-liner now uses his suggestion to search/grep for a .RSA file.
Output
Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US Serial number: 4bfbebba Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045 Certificate fingerprints: SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26 Signature algorithm name: SHA1withRSA Subject Public Key Algorithm: 1024-bit RSA key Version: 3
As you can see, still the same fingerprint.
Tags: android