Skip to content

Detect difference in APK signatures

I reproduced an APK from Google Play and diffoscope does not tell me about the different signature:

$ diffoscope unsigned.apk signed.apk
--- unsigned.apk
+++ signed.apk
├── zipinfo /dev/stdin
│ @@ -1,8 +1,8 @@
│ -Zip file size: 30225128 bytes, number of entries: 1708
│ +Zip file size: 30229413 bytes, number of entries: 1708
│  -rw----     0.0 fat    21096 b- defN 80-000-00 00:00 AndroidManifest.xml
│  -rw----     2.4 fat    11376 b- defN 80-000-00 00:00 LICENSE-junit.txt
│  -rw----     2.4 fat       87 b- defN 80-000-00 00:00 META-INF/MANIFEST.MF
│  -rw----     2.4 fat       89 b- defN 80-000-00 00:00 META-INF/activity-ktx_release.kotlin_module
│  -rw----     2.4 fat        6 bx stor 80-000-00 00:00 META-INF/androidx.activity_activity-ktx.version
│  -rw----     2.4 fat        6 bx stor 80-000-00 00:00 META-INF/androidx.activity_activity.version
│  -rw----     2.4 fat        6 b- stor 80-000-00 00:00 META-INF/androidx.annotation_annotation-experimental.version

So the signed APK is 4kB bigger but where is the signature? Maybe diffoscope could include a diff of the apksigner output?

$ apksigner verify --verbose --print-certs signed.apk | grep -v WARN
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Number of signers: 1
Signer #1 certificate DN: CN=Horizontal Systems
Signer #1 certificate SHA-256 digest: c1899493e440489178b8748851b72cbed50c282aaa8c03ae236a4652f8c4f27b
Signer #1 certificate SHA-1 digest: 5afb2517b06caac7f108ba9d96ad826f1c4ba30c
Signer #1 certificate MD5 digest: c2d55e9119eb1d9e029cc928e3e4c984
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 1e2b628d9938f5445d60584e4f346e94dab805e40b3a3dba7eadcf82e4c82fbb
Signer #1 public key SHA-1 digest: 1a685a25bce8dd171c65240a0c2cfbf6b8b45fb5
Signer #1 public key MD5 digest: be3b5429f83663b067293f24a20bfd4f
$ apksigner verify --verbose --print-certs unsigned.apk | grep -v WARN
DOES NOT VERIFY
ERROR: No JAR signatures

I still have to learn where the signature is actually hiding but I suppose it's some zip meta data. So maybe there is a more general tool to diff that, too.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information