Programs for Android smartphones are distributed in the form of APK files not only through application stores, but also from various websites. To ensure integrity and authorship, the developer signs the APK files with his digital signature. How to manually verify the digital signature of an APK file in Linux?

1) Download the Command Tools Only archive from the Android Studio package

https://developer.android.com/studio - Downloads

On the search page we look for the section "Command line tools only".

In it we are interested in the archive with the SDK tools package for the Linux command line:

• commandlinetools-linux...latest.zip

2) Extract the archive with paths, for example, to the ~/android folder

Go to the cmdline-tools/bin folder:

cd ~/android/cmdline-tools/bin

3) Launch a terminal. In it using the utility sdkmanager let's find out the latest version of command line programs for building packages (it contains a digital signature verification program.

./sdkmanager --list --sdk_root='' | grep build

where --list is the command to display a list of available SDK versions, --sdk_root='' - the path to Android Studio is empty, because I don't have Android Studio installed.

4) Read the latest available version of the "build-tools" package from the screen, for example, 33. Copy the line to the clipboard.

5) Based on the data in point 4, create and execute the command:

./sdkmanager "build-tools;33.0.2" --sdk_root=''

Accept the license terms.

The build-tools programs will be installed in the child folder "build-tools/version number",
for example: build-tools/33.0.2.

6) Go to the "build-tools/version number" folder.

cd build-tools/33.0.2

or by full path

cd ~/android/cmdline-tools/bin/build-tools/33.0.2

7) Using a script apksigner let's check the digital signature of the APK file:

./apksigner verify -v --print-certs ~/folder/file.apk

where ~/folder/file.apk is the path to the APK file whose digital signature we want to check.

To make it easier to read from a file rather than from the screen, you can output the test result to a file on disk by redirecting the console output.

./apksigner verify -v --print-certs ~/folder/file.apk > ~/signs.txt

Source:

*How to manually verify apk signatures and compare signing keys

Related publications

Working with Flatpak or APT through a proxy server

Fixing Linux Mint boot problem with integrated Intel graphics card

Stop and disable TimeShift to save disk space

Troubleshooting L2TP/IPsec connection errors "Could not add IPsec connection" and "no acceptable traffic selectors found"

Hard disk partitioning for installing Linux Mint on an old PC with BIOS in GPT mode