How to check the Signing Certificate on an Android app / apk.

{}
January 3rd, 2019

If you own a Android Phone, and you want to use Signal instead of Whatsapp or Telegram for privacy matters, and, for the same privacy matters, you don’t have a Google Account on your phone, or you don’t use Google Play but the free F-Droid, there is a solution. You can download the Signal APK from their website: https://signal.org/android/apk/

They give a warning:

Advanced users with special needs can download the Signal APK directly. Most users should not do this under normal circumstances.

What are normal circumstances these days? You can’t trust Facebook anymore, maybe you can trust Google, but you don’t wanna trust Google, because trusting Google is telling Google where you are, what you do, what you say, what and who you see and who your friends are.

It’s not a matter of trust, it’s a matter of privacy and decency that you don’t do that.

So downloading the Signal APK is probably what you should do these days. But how to be sure you download the real one?

The websites tells you to verify the signing certificate on the APK matches this SHA256 fingerprint. Unfortunately they don’t tell you how to do that.

Verify the signing certificate on the Signal APK.

This one-liner will show you the SHA256 Fingerprint that has to be checked:

unzip -p Signal-website-release-4.31.6.apk META-INF/SIGNAL_S.RSA > /tmp/tmp.cert ; keytool -printcert -file /tmp/tmp.cert

You get this output:

Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: RSA (1024)
Version: 3

As you can see the SHA256 is the same fingerprint as on the Signal download page.

It’s verified. The Signal apk is safe to use now.

UPDATE 2022 (see new blogpost)

Tags:

5 Responses to “How to check the Signing Certificate on an Android app / apk.”

  1. Peter Says:

    Bullshit. Doesn’t work.

  2. webonomic Says:

    You’re wrong. It does. Dependency keytool, which is part of java, so you need `openjdk-13-jre-headless`

    unzip -p Signal-website-universal-release-4.44.7.apk META-INF/SIGNAL_S.RSA > /tmp/tmp.cert ; keytool -printcert -file /tmp/tmp.cert
    Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
    Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
    Serial number: 4bfbebba
    Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
    Certificate fingerprints:
    SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
    SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
    Signature algorithm name: SHA1withRSA
    Subject Public Key Algorithm: 1024-bit RSA key
    Version: 3

  3. Albert Says:

    Yep, this works. Thanks.

    Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
    Certificate fingerprints:
    SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
    SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
    Signature algorithm name: SHA1withRSA
    Subject Public Key Algorithm: 1024-bit RSA key

  4. Matthew Says:

    Thanks webonomic. This was quite helpful.

    I’m offering a quick tweak in order for this to work with the latest release (5.39.3). In 5.39.3, the signing key is located in META-INF/CERTIFIC.RSA, rather than SIGNAL_S.RSA at the time of the original posting.

    In order to find the name of the correct directory in future releases, you can use unzip -l | grep ‘.RSA’
    This will show you the name of the directory being used for the keys.
    Put that in your above one-liner and you are all set:
    unzip -p | keytool -printcert
    (I modified the one liner to simply pipe the output of unzip to keytool)

    While we’re at it, another method is to use apksigner which is what Signal suggests to use, though I like the method you describe better. In order to not have to wade though countless warning messages, grep is required. Using “256” will pull out the certificate hash you are looking for
    apksigner verify –print-certs “Signal-Android-website-prod-universal-release-5.39.3.apk” | grep 256

    Anyway thank again- I hope someone can use this.

  5. webonomic Says:

    @Matthew.

    Thank you for pointing out the new location of the signing key.

    And yes, piping is easier. 😉 Thanks again.

Leave a Reply