These steps are for Windows, but they should be very similar on macOS or Linux.
Prerequisites
- Android Studio installed
- Install the latest SDK
Locate apksigner
Apksigner is part of the Android build tools should be in the SDK directory.
%APPDATA%..\Local\Android\Sdk\build-tools\30.0.0
Lets open up a terminal and navigate to the build-tools. Replace 30.0.0 with the actual SDK version you have installed.
cd .\AppData\Local\Android\Sdk\build-tools\30.0.0
Alternatively use the full path (Replace username and 30.0.0 with actual username and SDK number)
cd C:\User\username\AppData\Local\Android\Sdk\build-tools\30.0.0\
Verify Signal APK
We can now verify the Signal APK with the following. Replace username with your username.
.\apksigner.bat verify --print-certs C:\User\username\Downloads\Signal-Android-website-prod-universal-release-6.0.6.apk
Scroll up to the top part and look for the part that says
Signer #1 certificate SHA-256 digest:
Check the signature against the signature on Signal’s website/
https://signal.org/android/apk/
You may see a bunch of
WARNING: META-INF/xxx.version not protected by signature...
Sounds like this can be expected and is a common thing. The certificate is stored in META-INF which means that other files stored in META-INF are not protected. Most of the files in that directory are only version numbers of libraries the app depends on. There shouldn’t be anything important so shouldn’t be a security concern.
https://stackoverflow.com/questions/52122546/apk-metainfo-warning