11

I have downloaded the signal app from https://signal.org/android/apk/. To verify the download, there is a fingerprint provided. But how can I verify this fingerprint with the file? I know that I can use sha256sum to verify a hash, but I guess for a fingerprint I need a certificate or something similar?

Polynomial
  • 132,208
  • 43
  • 298
  • 379
Jekoula
  • 199
  • 1
  • 1
  • 9
  • 2
    Fingerprint is just another name for the hash – paj28 Feb 01 '18 at 21:45
  • no, hash of download looks like `0fe5f808b4827254543de92f524af6cfba1e3142a5823f62966d325a9e725016` fingerprint on website is `29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0 EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26` – Jekoula Feb 01 '18 at 22:01

4 Answers4

12

You've missed a key word in the download page:

You can verify the signing certificate on the APK matches this SHA256 fingerprint

(emphasis mine)

APK files are just ZIP files in reality, so open it up with whatever archive tool you want (I use 7zip) and extract META-INF\CERT.RSA from it. You can then verify that the certificate fingerprint matches what is written on the site. Note that this isn't the same as the hash of the whole certificate either! You'll need to use keytool to check it.

The keytool binary is included in the Java JDK (usually in the %ProgramFiles%\Java\jdk_<version>\bin\ directory), and can be used as follows:

keytool -printcert -file X:\Path\To\CERT.RSA

Output looks like this:

Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 16:24:42 BST 2010 until: Tue May 16 16:24:42 BST 2045
Certificate fingerprints:
         MD5:  D9:0D:B3:64:E3:2F:A3:A7:BD:A4:C2:90:FB:65:E3:10
         SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
         SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
         Signature algorithm name: SHA1withRSA
         Version: 3

You can see that the SHA256 fingerprint matches what we saw on the site.

Once you've verified this you can go ahead and install the APK onto your Android device. Since you've verified that the signing certificate inside the APK matches the one that Signal expects you to see, you can then rely upon the Android operating system to validate that the APK is properly signed - it won't allow you to load it otherwise.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • The fingerprints _are_ hashes of the cert, but the `META-INF/signer.{DSA,RSA,EC}` entry/file is not just the cert -- it is a PKCS7 SignedData detached signature _containing_ the cert chain, and a PKCS7 SignedData containing a cert chain is one of the things (`CertificateFactory` and) `keytool` can read, but of course hash of the PKCS7 differs from hash of the cert – dave_thompson_085 Jan 06 '19 at 08:38
  • 1
    Just verifying the certificate is IMHO not enough on Android as by definition self-signed certificates are used. If you can trust a certificate is therefore a difficult question. The only way is to check the other apps that have been signed using the same certificate. The only way I know to do so is to use PlayStore crwaling service androidobservatory.org. It has an API for checking which apps have been signed by the same certificate based on the SHA-1 fingerprint of the certificate: https://androidobservatory.org/cert/45989DC9AD8728C2AA9A82FA55503E34A8879374 – Robert Nov 01 '19 at 08:17
8

The correct way to verify an APK file is to use apksigner from Android SDK.

In difference to the other answers here that base on keytool, apksigner has two major advantages:

  1. It actually verifies that that the signature is correct and the APK has not been modified
  2. It does not rely on the old APK signature scheme v1 (also known as "JAR signature"). Instead it also can process APKs that has been signed using the APK signature scheme v2 and v3 (there are already apps available that doen't have an v1 signature at all, therefore those apps can't be checked using keytool.

apksigner is part of the Android build tools, therefore you may find multiple versions installed, one for each build-tools version installed.

One example path within the Android SDK to apksigner.bat/apksigner.sh is:

android-sdk/build-tools/29.0.2/apksigner

Execute apksigner this way:

apksigner verify --verbose --print-certs "Signal-website-universal-release-4.49.13.apk"

Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Number of signers: 1
Signer #1 certificate DN: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Signer #1 certificate SHA-256 digest: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26
Signer #1 certificate SHA-1 digest: 45989dc9ad8728c2aa9a82fa55503e34a8879374
Signer #1 certificate MD5 digest: d90db364e32fa3a7bda4c290fb65e310
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 1024
Signer #1 public key SHA-256 digest: 75336a3cc9edb64202cd77cd4caa6396a9b5fc3c78c58660313c7098ea248a55
Signer #1 public key SHA-1 digest: b46cbed18d6fbbe42045fdb93f5032c943d80266
Signer #1 public key MD5 digest: 0f9c33bbd45db0218c86ac378067538d
<skipped a lot of warnings>

Now you have verified the APK, but you still don't know if you can trust the person/organization who has signed the APK file. This is because on Android APK signatures use by definition self-signed certificates. If you can trust a certificate is therefore a difficult question. The only way is to check the other apps that have been signed using the same certificate.

The APK hoster APKMirror.com allows to search for APKs by their SHA-1 and SHA-256 issuer/certificate hash:

https://www.apkmirror.com/?s=29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26&post_type=app_release&searchtype=app

Edit 2021-10-19: androidobservatory.org seem to be out of service

Another service that allows to search for SHA-1 certificate hashes is androidobservatory.org. It has an API for checking which apps have been signed by the same certificate using the certificate SHA-1 digest:

https://androidobservatory.org/cert/45989DC9AD8728C2AA9A82FA55503E34A8879374 On this page you can see all the other APK files on Google Play Store that are signed with the same certificate.

Robert
  • 1,373
  • 2
  • 12
  • 13
4

The currently working solution is

$ keytool -printcert -jarfile file.apk

Taken form this thread.

  • Works for me with the Signal apk and `openjdk-11-jre-headless` version 11.0.7+10-3~deb10u1 (Debian 10 stable), thanks! – Luc Jun 19 '20 at 15:58
0

you should not open it. It should be used as a command in the terminal, as the provided example

keytool -printcert -file X:\Path\To\CERT.RSA
koapsi
  • 25
  • 5