apkdoublecheck.sh

#!/bin/sh

# apkdoublecheck.sh Verify an apk signature with a certificate extracted
# from a trusted apk
# By default the trusted apk must have a valid v1 and v2 signature
# while for the target app it is sufficient to have a valid v1 signature

if [ $# -eq 0 ]
  then
    echo "Usage: apkdoublecheck.sh <trusted_apk> <untrusted_apk>"
    exit 1
fi

APKSIGNER=$ANDROID_HOME/build-tools/25.0.2/apksigner

function quit {
  rm -f *.output.txt
  rm -f *.signatures.txt
  exit 1
}

# Verify first trusted apk signature
$APKSIGNER verify --print-certs -v $1 > $1.output.txt
cat $1.output.txt | grep -no \
  "Verified using v1 scheme (JAR signing): true"
if [ $? -eq 1 ]
  then 
    echo "Trusted apk has invalid v1 signature!"
    quit
fi
cat $1.output.txt | grep -no \
  "Verified using v2 scheme (APK Signature Scheme v2): true"
if [ $? -eq 1 ]
  then 
    echo "Trusted apk has invalid v2 signature!"
    quit
fi
# Extract public key signature from trusted apk
cat $1.output.txt | grep -n "Signer #[0-9]* certificate [A-Z0-9\-]* digest:" \
                  | cut -d ":" -f3 \
                  | cut -d " " -f2 \
                  > $1.signatures.txt
# Verify untrusted apk with public key
$APKSIGNER verify --print-certs -v $2 > $2.output.txt
cat $2.output.txt | grep -no \
  "Verified using v1 scheme (JAR signing): true"
if [ $? -eq 1 ]
  then 
    echo "Untrusted apk has invalid v1 signature!"
    quit
fi
cat $2.output.txt | grep -no \
  "Verified using v2 scheme (APK Signature Scheme v2): true"
if [ $? -eq 1 ]
  then 
    echo "Untrusted apk has invalid v2 signature!"
fi
# Verify certificates match
cat $2.output.txt | grep -n "Signer #[0-9]* certificate [A-Z0-9\-]* digest:" \
                  | cut -d ":" -f3 \
                  | cut -d " " -f2 \
                  > $2.signatures.txt
cmp --silent $1.signatures.txt $2.signatures.txt
if [ $? -eq 1 ]
  then 
    echo "Signatures does not match!"
    quit
fi

echo "Signature match! This apk can be trusted."
quit