Command to get the Signature Checksum of any APK on Mac machine
What are signature checksum:
Let's start with, what is a checksum?
CheckSum is a sequence of letters n numbers that is obtained from a data for detecting errors that can get introduced in the data while it is being saved or transmitted. If you have a checksum of actual file, using that checksum you can find that the file that you have downloaded or saved is actually the same or was their any tempering done in-between transmission or before it was shared to you.
Now, coming to APKs, SHA-256 / SHA-512 / MD5 are hashing algorithm used while signing a file. The file can be .apk , .txt
A file is signed so that its authenticity can be known. If the apk is tampered, the checksum would change and by comparing the original and the file checksum you can confirm if the apk was modified or not before you start using it.
For Android APK, a tool called apksigner.jar is used to sign and verify the checksum. That binary would be available in the Android SDK usually under build-tools.
Running alone the apksigner tool gives below output:
USAGE: apksigner <command> [options]
apksigner --version
apksigner --help
EXAMPLE:
apksigner sign --ks release.jks app.apk
apksigner verify --verbose app.apk
apksigner is a tool for signing Android APK files and for checking whether
signatures of APK files will verify on Android devices.
COMMANDS
rotate Add a new signing certificate to SigningCertificateLineage
sign Sign the provided APK
verify Check whether the provided APK is expected to verify on
Android
lineage Modify the capabilities of one or more signers in an existing
SigningCertificateLineage
version Show this tool's version number and exit
help Show this usage page and exit
I will not go into details of what each command does but if you are interested to read further and want to learn more on
Apksigner, you can take a look at
developers.android.com.
Check for the SDK build tools path. It would look something like below:
/Users/<YourUserName>/Library/Android/sdk/build-tools/29.0.2/
Signature checksum command for Windows Machine:
apksigner verify -print-certs [apk] | grep -Po "(?<=SHA-256 digest:) .*" | xxd -r -p | openssl base64 | tr -d '=' | tr -- '+/=' '-_'
Signature checksum command for Mac Machine:
But on Mac machines, the "Grep" command with -Po does not work as it is not supported and throws "invalid option -- P" error.
$grep -Po
grep: invalid option -- P
usage: grep [-abcdDEFGHhIiJLlMmnOopqRSsUVvwXxZz] [-A num] [-B num] [-C[num]]
[-e pattern] [-f file] [--binary-files=value] [--color=when]
[--context[=num]] [--directories=action] [--label] [--line-buffered]
[--null] [pattern] [file ...]
To resolve that, we need to replace the way we do 'grep', by using the perl command.
The following Perl command is replacement for grep -
perl -nle 'print $& if m{(?<=SHA-256 digest:) .*}'
So below is the final command to find the checksum of Android apk :
/Users/<YourUserName>/Library/Android/sdk/build-tools/<BuildToolVersion>/apksigner verify -print-certs <PATH_TO_APKFile> | perl -nle 'print $& if m{(?<=SHA-256 digest:) .*}' | xxd -r -p | openssl base64 | tr -d '=' | tr -- '+/=' '-_'
In conclusion, using checksums is crucial in ensuring the authenticity of APK files. By following the steps outlined in this guide, you can find the checksum of an APK file on a Mac machine.
No comments:
Post a Comment