Getting Signing Certificate Hash

Before installation or updating on a device, Android requires that all APKs be digitally signed with a certificate. The signing certificate hash is a unique identifier of the certificate used to sign the application, serving to verify the application's origin.

Application Signing

Developers can sign the application using one of the following methods:

Manual App Signing.
Play App Signing.

Manual App Signing

In manual app signing, the developer owns a keystore used to sign the application. You can use tools like keytool or apksigner to retrieve certificate details, including the SHA-256 digest.

Using keytool:

keytool -printcert -jarfile app.apk

Using apksigner:

apksigner verify --print-certs app.apk

Play App Signing

With Play App Signing, Google manages and protects your app's signing key for you and uses it to sign your applications. You can find the SHA-256 fingerprint of the certificate in the Google Play Console:

Go to View App.
Navigate to Setup > App Signing.
Under App Signing Key Certificate, locate the SHA-256 fingerprint.

An example SHA-256 fingerprint looks like this:

88:8c:7f:02:d6:2e:ed:3a:53:bb:9c:a6:6b:82:5c:0d:78:a8:e5:b6:b2:11:28:bc:f5:ac:67:c8:e0:a3:7c:5a

Converting the SHA-256 Hash to Base64

To convert hex string to Base64 form, use an online like Base64 Encode. After conversion, you'll receive a string like this:

iIx/AtYu7TpAu5cma4JdDXio5bayFSi89axnyOCjfFo=

The resulting string is used in the Talsec configuration as a signing certificate hash.

Check the integration section for instructions on providing the signing hash for Talsec configuration.

PreviousWiki NextCallback Delay, Telemetry Impact, and Threat Scanning Completion Status

Last updated 2 months ago