Android: How to figure out which key store your app was signed with

It's been more than a few years since I've signed an APK for release and over time I've forgotten which key store I used to sign apps.

Fortunately, if you've got Java installed then you already have everything required to verify this information.

Step 1 - Acquire the APK(s)

Grab the APK file off Google Play Console (it's in "App Bundle Explorer" > "Downloads").

If its a publically published app then you could probably try grabbing it from a 3rd party APK host as well, but be wary that some dodgy ones may resign your APK.

Step 2 - Get the certificate fingerprints from your key store

Using command prompt, go to the "bin" folder in your Java install path. For me, it was at:
cd "C:\Program Files (x86)\Java\jre1.8.0_251\bin"

 Use "keytool" to read the key store information:

keytool -list -keystore "C:\Coding\Android\keystore"

It should print out a bunch of info, but the line you're interested in here is the bit after:

Certificate fingerprint (SHA1): ...

Take note of that information somewhere along with the key store filename.

Step 3 - Determining the APK certificate fingerprint

From the APK file, open it with an archive utility like 7-zip. If you can't figure out how, just rename it from "whatever.apk" to "whatever.zip".

Extract "META-INF\CERT.RSA".

Reusing your command prompt terminal from before, staying in the same path and run keytool again but with a different set of arguments:
keytool -printcert -file "C:\Users\twig\Desktop\whatever\META-INF\CERT.RSA"

Enter in the password if needed.

This will again spit out a bunch of information. The bit you're interested in is the SHA1 line under "Certificate fingerprints

Certificate fingerprints:

         MD5:  ...

         SHA1: ...

         SHA256: ...

Remember, a key store may contain multiple entries! This means there could be multiple certificate fingerprints.

By verifying the SHA1 fingerprints in the APK and the key store, you should now have enough information to figure out which key store entry was used to sign the APK.

Good luck!


Sources

 
Copyright © Twig's Tech Tips
Theme by BloggerThemes & TopWPThemes Sponsored by iBlogtoBlog