Article Summary This guide explains how to verify the authenticity and integrity of Android app files (APK or AAB) provided by Speakap. Usage Warning: Use this guide only if you handle the distribution of your app yourself (e.g., via Mobile Device Management). This does not apply to apps that are directly published in the Google Play Store by Speakap.
1. Purpose and Introduction
When distributing an app through the Google Play Store, we can guarantee that the app file users get is exactly the one we built. However, when we do not handle the distribution end-to-end, it is technically possible for an app file to be altered before it reaches you or your users.
To improve security and ensure the files are not compromised, we sign all our builds with our proprietary certificates. If the signature of an app matches ours, it is a guarantee of its integrity and authenticity, meaning it was created by us and no modifications were made afterward.
We freely share our public signatures/fingerprints so you can systematically verify every single app file you receive from us using a simple command-line tool. (Note: You might have better ways of doing this automatically within your own systems, and we encourage you to use the best solution you have).
2. Step-by-Step Verification
You can check the signature of any given APK or AAB file and compare it to our official signature by following these steps:
Step 1: Get the command-line tool
Depending on the file type, you will need either the apksigner or keytool command-line tool from Google.
Step 2: Run the command
Open your terminal and run the appropriate command for your file type:
- For an APK file: apksigner verify --print-certs your-app.apk
- For an AAB file: keytool -printcert -jarfile your-app.aab
Note: Just like with any command-line tool, you will need to either add the tool to your PATH, or use the full folder path of the tool when executing the command.
Step 3: Compare the values to Speakap's Official Certificates
Check the output of the command and compare the fingerprint values to the official signatures below. We use two certificates, and your APK/AAB will be signed with one of them. You should get exactly the same values as one of the following:
Certificate 1
- SHA-256: 49:0B:36:AD:7E:A8:7C:CF:C6:45:B1:DB:5A:66:0D:9F:FE:3F:E8:03:4C:81:48:4B:23:C7:3C:4F:44:96:A6:40
- SHA-1: 5F:51:D8:79:F7:02:FE:5D:A6:C2:3E:8D:12:52:4A:31:8C:FE:95:D3
- MD5: 40:51:CE:2F:CD:64:F9:A7:CF:52:3E:03:65:AB:CD:D1
Certificate 2
- SHA-256: 15:5D:46:AE:9D:32:A0:0C:2E:25:4F:B5:60:4E:DD:DC:EC:15:B2:0D:80:66:1F:EF:91:54:23:7C:9D:F3:9C:A6
- SHA-1: 39:67:BE:F6:BC:CC:69:9B:58:A0:2B:A4:C2:E1:75:E1:42:E9:D4:E2
- MD5: 53:EE:BB:72:94:3D:32:20:8F:AA:C4:D8:1C:89:26:F1
3. Example Command Outputs
To help you verify, here is what a successful output looks like for both file types.
Command output for an APK file signed with Certificate 1:
Signer #1 certificate DN: CN=Patrick van der Mijl, OU=Speakap, O=Speakap, L=Amsterdam, ST=Noord-Holland, C=NL certificate SHA-256 digest: 490b36ad7ea87ccfc645b1db5a660d9ffe3fe8034c81484b23c73c4f4496a640 certificate SHA-1 digest: 5f51d879f702fe5da6c23e8d12524a318cfe95d3 certificate MD5 digest: 4051ce2fcd64f9a7cf523e0365abcdd1
Command output for an AAB file signed with Certificate 2:
Owner: CN=Patrick van der Mijl, O=Speakap, C=NL Issuer: CN=Patrick van der Mijl, O=Speakap, C=NL Serial number: 2999e34b Certificate fingerprints: SHA1: 39:67:BE:F6:BC:CC:69:9B:58:A0:2B:A4:C2:E1:75:E1:42:E9:D4:E2 SHA256: 15:5D:46:AE:9D:32:A0:0C:2E:25:4F:B5:60:4E:DD:DC:EC:15:B2:0D:80:66:1F:EF:91:54:23:7C:9D:F3:9C:A6
4. How to locate apksigner and keytool
These tools are part of the standard Android SDK and the JRE.
Default locations on Mac:
- apksigner: /Users/user/Library/Android/sdk/build-tools/xx.x.x/apksigner
- keytool (Android Studio): /Applications/Android\ Studio.app/Contents/jbr/Contents/Home/bin/keytool
- keytool (Java): /Users/user/Library/Java/JavaVirtualMachines/jbr-xx.x.xx/Contents/Home/bin/keytool
Official Documentation & Downloads:
- apksigner reference: https://developer.android.com/tools/apksigner
- Download Command line tools: https://developer.android.com/studio#downloads
keytool reference: https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html