How to find out which signature verison an APK file has?

Question

As you know there is two schemas for signing an APK file.(V1 (Jar Signature) and V2 (Full APK Signature).)

I have an APK file in hand and want to know whether it contains V1 or V2 or both. Is there a CLI tool which I can use it to do so?

Answer 1

The Android SDK tools has a tool called apksigner which allows you to verify the signature.

See https://developer.android.com/studio/command-line/apksigner#options-verify

$ apksigner verify --print-certs --verbose app-name.apk

You can find the binary under: [Path to Android SDK]/build-tools/28.0.3/apksigner

(Replace 28.0.3 which whatever version of build-tools you have)

Answer 2

Using this repository one can easily verify each of apk signatures.

Example:

$ ./print-apk-signature kodi-18.3-Leia-arm64-v8a.apk 
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): false
Number of signers: 1
Signer #1 certificate DN: CN=XBMC Foundation, OU=Android platform, O=XBMC Foundation, L=US, ST=US, C=us
Signer #1 certificate SHA-256 digest: f517b44b5db5e62a6c1ec55ba47526db7de0d61f6ba26a7987520e293499b8d5
Signer #1 certificate SHA-1 digest: 5cd9110c3d8e066324615d1279fb93a13c78d666
Signer #1 certificate MD5 digest: f9f0fe227fadf5c961400472a7e962ca
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 20ab9f102104a30fdf3859fb6b4f4033f7c98f7584530f8aeb46badb5a6bcd97
Signer #1 public key SHA-1 digest: 1b6455e869e679ebb65e0ca4b3cd0ab322e6da44
Signer #1 public key MD5 digest: 441b9aab27029f7a953cd16c2d20f525