HomeArticlesCommunity ProductsPremium ProductsGitHubTalsec Website

Getting Signing Certificate Hash

Before an Android application can be installed or updated, it must be digitally signed with a certificate. The signing certificate hash is a unique identifier of this certificate, playing a critical role in application security and integrity.

This hash ensures that:

  • The app's origin is verified, preventing malicious actors from distributing fake or modified versions.

  • Only the original developer can provide updates, ensuring a secure upgrade path.

  • Third-party services and APIs can authenticate the app before granting access.

Understanding the signing certificate hash is essential, especially when dealing with Google Play App Signing, where the upload key and distribution key may differ. Proper management of this concept helps maintain trust, prevent security breaches, and ensure a seamless app lifecycle.

Application Signing

Developers can sign the application using one of the following methods:

  • Manual App Signing.

    • Development Certificate

    • Production Certificate

  • Play App Signing.

Manual App Signing

Manual App Signing is a process where the developer signs an Android application (APK) using a private key stored in a keystore.

Development Certificate

The Development Certificate is used primarily during the development and testing phases. This certificate is automatically generated by Android build tools. It is used for signing the app during development to test features and debug without releasing the app to the public.

The SHA-256 digest from this certificate should not be used in a production environment, as the SDK may detect it as a potential security threat.

Production Certificate

The Production Certificate is used when preparing the app for public release. Developers create a custom keystore and generate a private key for signing the application. This certificate must be kept secure as it ties the app to the developer for all future updates.

How to Retrieve Certificate Details in Manual App Signing?

In manual app signing, the developer owns a keystore used to sign the application. You can use tools like keytool or apksigner to retrieve certificate details, including the SHA-256 digest.

Using keytool:

keytool -printcert -jarfile app.apk

Using apksigner:

apksigner verify --print-certs app.apk

Do not forget to convert the SHA-256 digest to Base64 format, as the SDK requires it in this format. You can find the conversion steps in this section.

Play App Signing

With Play App Signing, Google securely manages your app’s signing key and uses it to sign your application before distribution. This ensures that your app remains protected throughout its lifecycle while also enabling features like automatic key rotation.

How to find the SHA-256 fingerprint in Google Play Console?

To retrieve the SHA-256 digest of your signing certificate, follow these steps:

  1. Go to View App.

  2. Navigate to Setup > App Signing.

  3. Under App Signing Key Certificate, locate the SHA-256 fingerprint.

An example SHA-256 fingerprint looks like this:

88:8c:7f:02:d6:2e:ed:3a:53:bb:9c:a6:6b:82:5c:0d:78:a8:e5:b6:b2:11:28:bc:f5:ac:67:c8:e0:a3:7c:5a

Do not forget to convert the SHA-256 digest to Base64 format, as the SDK requires it in this format. You can find the conversion steps in this section.

Converting the SHA-256 Hash to Base64

To convert hex string to Base64 form, use an online like Base64 Encode. After conversion, you'll receive a string like this:

iIx/AtYu7TpAu5cma4JdDXio5bayFSi89axnyOCjfFo=

The resulting string is used in the Talsec configuration as a signing certificate hash.

PreviousWikiNextCallback Delay, Telemetry Impact, and Threat Scanning Completion Status

Last updated