Before installation or updating on a device, Android requires that all APKs be digitally signed with a certificate. The signing certificate hash is a unique identifier of the certificate used to sign the application, serving to verify the application's origin.
Developers can sign the application using one of the following methods:
Manual App Signing.
Play App Signing.
In manual app signing, the developer owns a keystore used to sign the application. You can use tools like keytool
or apksigner
to retrieve certificate details, including the SHA-256 digest.
Using keytool
:
Using apksigner
:
With Play App Signing, Google manages and protects your app's signing key for you and uses it to sign your applications. You can find the SHA-256 fingerprint of the certificate in the Google Play Console:
Go to View App.
Navigate to Setup > App Signing.
Under App Signing Key Certificate, locate the SHA-256 fingerprint.
An example SHA-256 fingerprint looks like this:
To convert hex string to Base64 form, use an online like Base64 Encode. After conversion, you'll receive a string like this:
The resulting string is used in the Talsec configuration as a signing certificate hash.
Check the integration section for instructions on providing the signing hash for Talsec configuration.