I'm working with the Play Integrity API and I'm looking at the SHA-256 digest in the app integrity part of the verdict.
Here is what the doc says about this digest:
// The sha256 digest of app certificates.
// This field is populated iff appRecognitionVerdict != UNEVALUATED.
certificateSha256Digest: ["6a6a1474b5cbbb2b1aa57e0bc3"]
The goal of this verdict part is to verify the app integrity and I assume that this digest has been generated from the version of the app to be evaluated. However, I don't know how to decide it is a valid one.
I would expect that if I find the certificate that is used to sign the app, and I use gradle to generate a signing report, it would include the SHA-256 digest of the certificate, but the SHA-256 generated by ./gradlew signingReport doesn't match the one returned in the verdict.
Am I missing something here? How to find what SHA-256 digests are valid?
signingReport provides sha256 digest in the hex form, while Play Integrity API field provides it in base64 web-safe no-wrap no-padding form. You can make conversion using
echo CE:RT:DI:GE:ST:IN:HE:XF:OR:MM | xxd -r -p | base64 | tr '/+' '_-' | tr -d '='
Note that the reason for transforming + to - is because base64 web-safe form (see specification here)