Skip to content

Instantly share code, notes, and snippets.

@aruku7230

aruku7230/verify_apk.md

Last active January 24, 2023 10:37
Show Gist options
  • Save aruku7230/547149d958cdfe025b50444ee36539c9 to your computer and use it in GitHub Desktop.
Save aruku7230/547149d958cdfe025b50444ee36539c9 to your computer and use it in GitHub Desktop.
Download ZIP
Verify the the apk
Raw
verify_apk.md

Use apksigner

apksigner verify --print-certs --verbose <name>.apk

Check checksums

Check checksums: sha256sum --check <name>.asc, change sha256sum to corresponding tool is checksums algorithm is not SHA256.

With file app-release.apk and sha256sum.txt.asc from this release. The output of checksum check command is

app-release.apk: OK
sha256sum: WARNING: 14 lines are improperly formatted

Check PGP signature

  1. Download public key: curl -sO <public-key-url>
  2. Import public key: gpg --import <public-key-file>
  3. Verify the signature: gpg --verify <name>.asc

Reference: https://syncthing.net/security/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment