How to Verify Signal APK

These steps are for Windows, but they should be very similar on macOS or Linux.

Prerequisites

  1. Android Studio installed
  2. Install the latest SDK

Locate apksigner

Apksigner is part of the Android build tools should be in the SDK directory.

%APPDATA%..\Local\Android\Sdk\build-tools\30.0.0

Lets open up a terminal and navigate to the build-tools. Replace 30.0.0 with the actual SDK version you have installed.

cd .\AppData\Local\Android\Sdk\build-tools\30.0.0

Alternatively use the full path (Replace username and 30.0.0 with actual username and SDK number)

cd C:\User\username\AppData\Local\Android\Sdk\build-tools\30.0.0\

Verify Signal APK

We can now verify the Signal APK with the following. Replace username with your username.

.\apksigner.bat verify --print-certs C:\User\username\Downloads\Signal-Android-website-prod-universal-release-6.0.6.apk

Scroll up to the top part and look for the part that says

Signer #1 certificate SHA-256 digest:

Check the signature against the signature on Signal’s website/

https://signal.org/android/apk/

You may see a bunch of

WARNING: META-INF/xxx.version not protected by signature...

Sounds like this can be expected and is a common thing. The certificate is stored in META-INF which means that other files stored in META-INF are not protected. Most of the files in that directory are only version numbers of libraries the app depends on. There shouldn’t be anything important so shouldn’t be a security concern.

https://stackoverflow.com/questions/52122546/apk-metainfo-warning