How to get signature Checksum of any Apk on MAC

Command to get the Signature Checksum of any APK on Mac machine

What are signature checksum:

Let's start with, what is a checksum? CheckSum is a sequence of letters n numbers that is obtained from a data for detecting errors that can get introduced in the data while it is being saved or transmitted. If you have a checksum of actual file, using that checksum you can find that the file that you have downloaded or saved is actually the same or was their any tempering done in-between transmission or before it was shared to you.

Now, coming to APKs, SHA-256 / SHA-512 / MD5 are hashing algorithm used while signing a file. The file can be .apk , .txt

A file is signed so that its authenticity can be known. If the apk is tampered, the checksum would change and by comparing the original and the file checksum you can confirm if the apk was modified or not before you start using it.

For Android APK, a tool called apksigner.jar is used to sign and verify the checksum. That binary would be available in the Android SDK usually under build-tools. 

Running alone the apksigner tool gives below output:

USAGE: apksigner <command> [options]

       apksigner --version

       apksigner --help

EXAMPLE:

       apksigner sign --ks release.jks app.apk

       apksigner verify --verbose app.apk

apksigner is a tool for signing Android APK files and for checking whether

signatures of APK files will verify on Android devices.

COMMANDS

rotate                Add a new signing certificate to SigningCertificateLineage

sign                  Sign the provided APK

verify                Check whether the provided APK is expected to verify on

                      Android

lineage               Modify the capabilities of one or more signers in an existing

                      SigningCertificateLineage

version               Show this tool's version number and exit

help                  Show this usage page and exit

I will not go into details of what each command does but if you are interested to read further and want to learn more on Apksigner, you can take a look at developers.android.com.

Check for the SDK build tools path. It would look something like below:

/Users/<YourUserName>/Library/Android/sdk/build-tools/29.0.2/

Signature checksum command for Windows Machine:

apksigner verify -print-certs [apk] | grep -Po "(?<=SHA-256 digest:) .*" | xxd -r -p | openssl base64 | tr -d '=' | tr -- '+/=' '-_'

Signature checksum command for Mac Machine:

But on Mac machines, the "Grep" command with -Po  does not work as it is not supported and throws "invalid option -- P" error.

$grep -Po

grep: invalid option -- P

usage: grep [-abcdDEFGHhIiJLlMmnOopqRSsUVvwXxZz] [-A num] [-B num] [-C[num]]

[-e pattern] [-f file] [--binary-files=value] [--color=when]

[--context[=num]] [--directories=action] [--label] [--line-buffered]

[--null] [pattern] [file ...]

To resolve that, we need to replace the way we do 'grep', by using the perl command. 

The following Perl command is replacement for grep -  

perl -nle 'print $& if m{(?<=SHA-256 digest:) .*}'

So below is the final command to find the checksum of Android apk : 

/Users/<YourUserName>/Library/Android/sdk/build-tools/<BuildToolVersion>/apksigner verify -print-certs <PATH_TO_APKFile> | perl -nle 'print $& if m{(?<=SHA-256 digest:) .*}' | xxd -r -p | openssl base64 | tr -d '=' | tr -- '+/=' '-_'

In conclusion, using checksums is crucial in ensuring the authenticity of APK files. By following the steps outlined in this guide, you can find the checksum of an APK file on a Mac machine.