Retrieving The Signing Key Fingerprint on Android

This post is a bit of an aide-mémoire for myself. If you ever need to see which key signed an APK (for example to compare to a client ID in the API console when implementing Google+ Sign-In) you can actually extract the cert from the APK, and test it.

First you need to unzip the APK:

    unzip ~/my-app.apk

You're going to see a bunch of files extracted, including a CERT.RSA, which is usually in META-INF. If you use an alias for your key, it'll be THAT-ALIAS.RSA.

    inflating: META-INF/MANIFEST.MF
    inflating: META-INF/CERT.SF
    inflating: META-INF/CERT.RSA

You can then output the signatures for the certificate with the keytool app:

    keytool -printcert -file META-INF/CERT.RSA

This will print out the various fingerprints, and let you know the details of the certificates owner - handy for checking whether it was accidentally signed with a debug key (which will look something like this):

    Owner: CN=Android Debug, O=Android, C=US
    Issuer: CN=Android Debug, O=Android, C=US
    Serial number: 4f963ac8
    Valid from: Wed Apr 27 12:43:33 BST 2012 until: Fri Apr 20 12:43:33 BST 2042
    Certificate fingerprints:
        MD5: 84:9E:5D:C5:2C:F5:1A:D5:29:B5:D1:28:DF:1A:6D:86
        SHA1: 12:65:36:81:D2:8C:B3:7D:9E:48:55:66:DF:DD:1B:3D:6B:EC:E8:E9
        Signature algorithm name: SHA1withRSA
        Version: 3

Popular posts from this blog

Client-Server Authentication with ID tokens

Image
These days there are few purely client-side applications - even traditionally unconnected software like casual games make use of servers and services to provide a better, richer experience - and importantly one that can follow the user across devices. We are in a world where we need to authenticate a user of many clients to a set of back-end services. There are a few ways of doing that when using a identity provider, like Google, but in this post I want to talk about a specific method that makes use of ID tokens. This approach has been well covered by Tim Bray for Android, but with the release a couple of months ago of the iOS 1.4.0 SDK for Google+, it is now available across Android, iOS and the Web. This makes it a particularly powerful way of signing in a user, and asserting the identity of that user securely to your application servers. Why ID TokensThis whole architecture relies on a point of view which I suspect is still not particularly common amongst developers implementing au…
Read more

Common problems with Google+ Sign-In on Android

Image
It has been fantastic to see so many people trying out Google+ Sign-In, and through the bootcamps and other events I've had a chance to talk to some people who are actually implementing it in their apps. The Android integration is pretty straightforward, thanks to Google Play Services, but there are still some issues I've seem come up a couple of times.

tl;dr: make sure your app is set up in the API console, and make sure you can handle multiple onStart events coming in during sign-in.

1. Consent screen appears more than once. 

The basic life cycle of the PlusClient looks a bit like this:


When we call the onStart, we immediately call mPlusClient.connect(). Google Play Services checks whether the user is already signed in to the application, and, if so the onConnected method is instantly called and the user seamlessly signed in.

If the connect() call fails, then onConnectionFailed() is called with a ConnectionResult object, which represents the error. The error is probably RESOLU…
Read more

Upgrading Firebase.com & Using Google Sign In on Android

Image
Very quick post on a problem I've seen a few people hit where they are upgrading a Firebase.com project which uses Google Sign In on Android.
Just Tell Me What To Do Already 1. Upgrade your Firebase.com project

2. Connect your Android app, but do not enter a SHA1

3. Go to the old Google Developers/Google Cloud project you were using and copy each client ID used for an Android app (e.g. the debug and release versions at least). 

4. In the Auth > Sign In Method > Google panel, enter the client IDs you copied before. 

This ensures your existing app keeps working, and sets you up for transitioning to the new SDK.  Why Am I Doing This? There are a couple of things to know:  The specific combination of Android package name and SHA1 is unique across Google. It can only exist in a single Google project, and is associated with a single client ID. An upgraded Firebase project is a Google project underneath.  This means if you go through the upgrade flow, attempt to connect your Android…
Read more