ShaFingerprint: Get SHA1 Fingerprint Certificate of app

vknow360 · March 16, 2023, 6:29am

1. Introduction

Description: Using this extension you can get SHA1 Fingerprint Certificate of app which can be used to verify authenticity of app. If someone has re-compiled the app, the certificate will be different from the original.
Version: 1
Released: 2023-03-15T18:30:00Z

2. Blocks

3. Usages

Returns SHA1 Fingerprint Certificate of app

4. Downloads

Aix:
com.sunny.sha.aix (6.9 KB)

Hope it helps!

TIMAI2 · March 16, 2023, 4:20pm

Could you show a usage example for this?

I get a different sha1sum when running the apk on linux?

vknow360 · March 17, 2023, 1:34am

Different than what you signed it with?

TIMAI2 · March 17, 2023, 12:06pm

If I build an apk with this extension in it, if i then run the app, click the button, which displays the extension's sha1sum in a label.

If I run a sha1sum on the apk on my computer (linux), I get a completely different sha1sum.

vknow360 · March 18, 2023, 4:27am

Strange, I am getting same SHA1 on Windows and android.

Screenshot (9)

vknow360 · March 18, 2023, 4:28am

Anke · March 18, 2023, 5:15am

Me too.
So what's the problem...why did you unlist the topic?

(Although it's not quite clear to me yet, where this extension could help us. )

vknow360 · March 18, 2023, 5:35am

I thought to wait till Tim's response.

Someone told me that he wants to get SHA1 during runtime to verify whether user is having original or decompiled version. I forgot that apk can be signed again with the original certificate
So it maybe useful for him but surely not for others.

Anke · March 18, 2023, 5:38am

Yes, and that's exactly what I've been doing for more than 10 years (with all my Play Store apps).

vknow360 · March 18, 2023, 5:50am

My bad. Otherwise it could have been a good method to differentiate hacked versions.

Anke · March 18, 2023, 5:58am

I still don't see any reason to unlist the topic, as it might be useful for some users if they can match their compiled / decompiled app's fingerprint to that in the Play Developer Console.

Of course, there are other ways to do this than through the app itself. But for some it may be easier this way.

TIMAI2 · March 18, 2023, 11:52am

On Linux:

$ openssl dgst -sha1 testsha1.apk
SHA1(testsha1.apk)= 6d25842bda91e3ab829f6ad3e9612ec9c243e303

$ sha1sum -b testsha1.apk
6d25842bda91e3ab829f6ad3e9612ec9c243e303 *testsha1.apk

in the app:

vknow360 · March 19, 2023, 6:56am

Please try again with keytool.

keytool -printcert -file ANDROIDK.RSA

You can find ANDROIDK.RSA file in META-INF dir of apk.

TIMAI2 · March 19, 2023, 6:47pm

OK, that works, but what a struggle to get the matching "SHA1" of an apk.

If you use @Juan_Antonio 's Terminal app, you can run a sha1sum on the apk file....