APK Signature Check

What is an APK signature and how does it work?

An APK signature is a cryptographic seal created using the publisher's private key. When you install an APK, Android computes a hash of the file contents and checks it against the embedded signature. If someone modifies even one byte after signing, the hash changes and Android refuses to install.

Android supports three signature schemes. APK Signature Scheme v1 (JAR-based) signs individual files inside the archive. Scheme v2 signs the entire APK as a block, making tampering detection faster. Scheme v3 adds support for key rotation if the publisher needs to change signing keys. Modern APKs typically use v2 or v3.

How do I verify an APK signature on my computer?

Use apksigner from the Android SDK Build Tools. This tool reads the signature block and checks whether the file contents match. If you do not have Android SDK installed, you can download just the Build Tools from developer.android.com.

Command (Windows, macOS, Linux):

apksigner verify --verbose --print-certs app.apk

Example output — valid signature:

Verifies
Verified using v2 scheme (APK Signature Scheme v2): true
Signer #1 certificate DN: CN=Publisher, O=Company, C=XX  ← example format
Signer #1 certificate SHA-256 digest: a1b2c3d4...       ← compare with official

Example output — invalid signature:

DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1: APK integrity check failed.

If you see "DOES NOT VERIFY" or "integrity check failed", the file was modified after signing. Delete it and download again from the official source.

Can I check the signature on Android without a computer?

Android itself verifies the signature automatically before installing. If the signature is invalid, you see an error like "App not installed" or "Package appears to be corrupt". However, if you want to inspect certificate details before installing, use an app like APK Info or App Manager from F-Droid.

Steps with APK Info:

1. Open APK Info and select the downloaded APK file.
2. Tap "Signatures" to view the certificate.
3. Check the issuer (CN, O fields) matches the official publisher.
4. Compare the SHA-256 fingerprint if the publisher provides it.

If the certificate issuer is unknown or the fingerprint does not match, the APK may be repackaged. Do not install.

Why does a mismatched signature mean danger?

A mismatched signature proves the file was altered after leaving the publisher. Common causes: someone injected malware, added adware, or replaced the app entirely. Android blocks these files, but if you bypass the warning, you risk installing code the original publisher never approved.

• Injected code — malware added to the original APK, breaks the signature.
• Repackaged app — rebuilt with a different certificate, usually to add ads or spyware.
• Corrupted download — incomplete file, hash mismatch, Android refuses install.

Always delete and re-download from the official source if signature verification fails.

Where do I find the official fingerprint to compare?

Publishers sometimes list the certificate fingerprint on their official download page or in documentation. If not published, you can establish trust by:

• Compare with a known-good install: If you have the app from Play Store, extract its certificate and compare.
• Check previous APK: If you verified a previous version, the certificate should match (unless the publisher rotated keys).
• Community verification: Trusted forums or Reddit threads sometimes share verified fingerprints.

Note: The signing certificate stays the same across app versions. Once you verify it for one version, you can trust the same fingerprint for future updates — unless the publisher announces a key rotation.

Quick reference: signature verification

Use this table for quick access to verification methods.