Tuesday, July 19, 2016

Verify an APK is signed with correct certificate

How do I determine if the APK produced by the build system has been signed correctly with the production certificate?

jarsigner -verify -verbose -certs my_application.apk >output.txt
You will need to ensure that the java jdk is included in your Path.  You'll find it, here:
C:\Program Files (x86)\Java\jdk1.7.0_55\bin\jarsigner.exe
If you don't then its likely you haven't correctly installed the Android SDK.

This will produce a lot of output that will show the certificate used to sign each file, which is usually the same certificate.  Open the output.txt file with a text editor.

s      98829 Mon Jul 18 15:45:06 NZST 2016 META-INF/MANIFEST.MF

      X.509, CN=CERTIFICATE_NAME, OU=Department, O=Company Ltd, L=Auckland, ST=Auckland, C=NZ
      [certificate is valid from 01/01/16 10:06 PM to 31/12/43 11:06 PM]
       98950 Mon Jul 18 15:45:06 NZST 2016 META-INF/CERT.SF
        1408 Mon Jul 18 15:45:06 NZST 2016 META-INF/CERT.RSA
sm      7364 Wed Dec 31 16:00:00 NZDT 1980 AndroidManifest.xml

      X.509, CN=CERTIFICATE_NAME, OU=Department, O=Company Ltd, L=Auckland, ST=Auckland, C=NZ
      [certificate is valid from 01/01/16 10:06 PM to 31/12/43 11:06 PM]

Ensure the certificate name is what you expect, and there is no mention of "Debug" in the output file.

I find it useful to do a search and replace for the "CN=CERTIFICATE_NAME" part, and replace with "@@@@@@" or whatever.  Then search for "CN=", and find any, that means some files are signed with a different certificate.

No comments:

Post a Comment