I have downloaded an apk file from some alternative source (apkfollow.com) to get an older version of my banking app. I have run apksigner against this apk file as follows:
apksigner verify --verbose --print-certs <my-app-name>.apk
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Questions:
false? Is it no more required for newer Android versions?Verifies, does it mean the apk file is an official, unmodified version of the app (assuming I know that the public key/certificate has a correct known digest)?As long as the first line is "Verifies", then yes you can trust* this APK.
The other lines below are some details as to what level of signature was implemented: v1 signing scheme (a.k.a JAR signing) is weaker than v2 and v3 signing schemes and is optional if you have minSdkVersion 24+, so that could explain why v1 signing scheme is not present.
* Note that this doesn't tell you who signed it, just that it wasn't modified after "someone" signed it. You'd have to look at the certificate to ensure that it was signed by who you expect.