How to get the certificate signing information from an Android .APK

Issue

Android .APK binaries are signed with a public certificate. A method is needed to display the certificate information to determine which certificate it was signed with, and to determine additional information.

Resolution

Method 1
Use the jarsigner binary to verify signatures and list the manifest contents.

$ jarsigner -verify -certs -verbose app.apk 

sm      3940 Mon Jan 07 08:24:42 WST 2013 res/layout/main.xml

      X.509, CN=Jamie Morrison, OU=Android, O=smudge.io, C=AU
      [certificate is valid from 1/7/13 8:24 AM to 1/1/40 8:24 AM]

sm      2600 Mon Jan 07 08:24:42 WST 2013 AndroidManifest.xml

      X.509, CN=Jamie Morrison, OU=Android, O=smudge.io, C=AU
      [certificate is valid from 1/7/13 8:24 AM to 1/1/40 8:24 AM]

...

sm    123344 Mon Jan 07 08:24:42 WST 2013 classes.dex

      X.509, CN=Jamie Morrison, OU=Android, O=smudge.io, C=AU
      [certificate is valid from 1/7/13 8:24 AM to 1/1/40 8:24 AM]

        7097 Mon Jan 07 08:24:42 WST 2013 META-INF/MANIFEST.MF
        7150 Mon Jan 07 08:24:42 WST 2013 META-INF/CERT.SF
         839 Mon Jan 07 08:24:42 WST 2013 META-INF/CERT.RSA

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.


Method 2
Extract CERT.RSA from the package and display the certificate with openssl.

- Rename .APK to .ZIP
- Extract META-INF/CERT.RSA
- Run the following openssl command:

$ openssl pkcs7 -inform DER -in CERT.RSA -noout -print_certs -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1357518270 (0x50ea15be)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, O=smudge.io, OU=Android, CN=Jamie Morrison
        Validity
            Not Before: Jan  7 00:24:30 2013 GMT
            Not After : Jan  1 00:24:30 2040 GMT
        Subject: C=AU, O=smudge.io, OU=Android, CN=Jamie Morrison
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:93:4c:f7:48:c2:fd:6f:a3:89:7f:6d:7e:91:84:
                    05:3e:21:fa:60:65:cc:56:e0:49:63:23:c7:eb:ef:
                    bd:ba:8f:8e:fc:b5:1c:01:91:40:0b:93:15:6d:37:
                    56:ed:87:7e:a7:0a:2d:6f:7c:4f:2e:86:7c:a5:1d:
                    76:0f:d4:08:ce:d8:72:8d:88:8c:ef:5f:f1:db:36:
                    32:39:97:ee:f2:c0:83:f8:8d:1a:40:ce:91:ad:a0:
                    a5:a1:c9:8e:c0:fe:11:2a:b1:a2:e4:2a:cc:7b:b9:
                    9e:53:d1:fd:98:1e:5f:75:b8:7f:bc:cc:8c:83:4b:
                    20:83:88:3d:fa:7b:37:86:e5
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        76:c9:2f:49:9f:44:64:49:d7:60:fe:60:77:d2:f9:47:83:ab:
        2c:f6:bf:cd:44:9f:f6:ab:16:9f:40:16:ba:6e:02:8c:b5:9e:
        b3:fc:5a:f8:ed:54:26:8a:eb:82:cc:fc:73:ff:40:ae:3f:4f:
        a7:fd:89:13:55:d5:74:31:d5:3e:4c:21:37:2a:b3:f9:83:f5:
        28:b4:f4:6f:4a:bd:d4:26:f6:e0:d1:91:87:6c:2a:29:5b:37:
        55:a5:4c:f7:7f:ea:e9:49:b4:87:8a:af:47:2b:83:7d:fa:58:
        4d:30:7c:c4:8f:b5:c7:eb:a8:3d:97:7c:b1:99:38:8c:6e:51:
        8b:a7


Method 3
Extract CERT.RSA from the package and display the certificate with keytool.

- Rename .APK to .ZIP
- Extract META-INF/CERT.RSA
- Run the following keytool command:

$ keytool -printcert -file CERT.RSA 
Owner: CN=Jamie Morrison, OU=Android, O=smudge.io, C=AU
Issuer: CN=Jamie Morrison, OU=Android, O=smudge.io, C=AU
Serial number: 50ea15be
Valid from: Mon Jan 07 08:24:30 WST 2013 until: Sun Jan 01 08:24:30 WST 2040
Certificate fingerprints:
	 MD5:  4C:C7:1B:61:53:F1:72:F0:53:A1:6C:E2:C4:56:E3:21
	 SHA1: 5C:65:64:19:8F:83:A3:24:C0:49:D5:EE:AD:9D:B3:5D:71:55:7E:EC
	 Signature algorithm name: SHA1withRSA
	 Version: 3

References

Products

Google Android (any)

Created: 7th January 2013
Updated: 7th January 2013


© 2005-2019 Jamie Morrison