Search code examples

Extract raw X.509 Certificate from a signed APK or JAR

I have a library of MD5 hashes of public keys used to sign various jars, and a mapping to their respective keystores which we use to sign different APKs. What I'd like to be able to do is identify which keystore was used to sign an APK, but without using trial and error. (Also, sadly, many of our keys share similar or identical DNs.)

My solution, because I know the META-INF/FOO.RSA (or FOO.DSA) contains the certificate, was to extract the certificate from the APK's RSA file and directly calculate the MD5 hash. (I know the certificate is there because it is accessible to a running android application, and the jarsigner documentation tells me it is there.)

But I can't find any tool that gives me the actual bytes of the certificate. I can get the DN and the certificate metadata when I use jarsigner -verbose -verify -certs my.apk, but that doesn't give me the bytes.


  • Extract the JAR then use 'openssl' to output the certificate:

    So assuming 'foo.jar' is in your current directory, do something like:

    mkdir temp
    cd temp
    jar -xvf ../foo.jar
    cd META-INF
    openssl pkcs7 -in FOO.RSA -print_certs -inform DER -out foo.cer