Print Android signing key SHA in code

If you ever want to get the Android SHA (1/256), MD5 or the signing key used to sign your app for example you can use the following snippet.

Important!
Be aware that you should not print that in a production environment as it might leak sensitive data

API 28> (Kotlin)

private fun printSHA() {
    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
        try {
            // get the package info that contains the key you want to print
            val info = packageManager.getPackageInfo(
                packageName,
                PackageManager.GET_SIGNING_CERTIFICATES
            )
            for (signature in info.signingInfo.apkContentsSigners) {
                // you can use other algorithms like MD5, SHA-1 or SHA-256
                val sha = MessageDigest.getInstance("SHA-256")
                sha.update(signature.toByteArray())

                // print the signing key SHA hash
                val output = sha.digest()

                Log.e("KEY HASH (SHA-256):", Base64.encodeToString(output, Base64.DEFAULT))
                Log.e("KEY HASH Hex (SHA-256):", bytesToHex(output).toUpperCase())
            }
        } catch (notFoundException: PackageManager.NameNotFoundException) {
            Log.e("My tag", notFoundException.message)
        } catch (noSuchAlgorithmException: NoSuchAlgorithmException) {
            Log.e("My tag", noSuchAlgorithmException.message)
        }
    }
}

Deprecated (Java)

private void printSHA() {
    try {
        // get the package info that contains the key you want to print
        PackageInfo info = getPackageManager().getPackageInfo(getPackageName(), PackageManager.GET_SIGNATURES);

        for (Signature signature : info.signatures) {
            // you can use other algorithms like MD5, SHA-1 or SHA-256
            MessageDigest sha = MessageDigest.getInstance("SHA-256");
            sha.update(signature.toByteArray());

            // print the signing key SHA hash
            byte[] output = sha.digest();
            Log.e("MY KEY HASH:", Base64.encodeToString(output, Base64.DEFAULT));
            Log.e("MY KEY HASH Hex:", bytesToHex(output));
        }
    } catch (PackageManager.NameNotFoundException notFoundException) {
        Log.e("My tag", notFoundException.getMessage());
    } catch (NoSuchAlgorithmException noSuchAlgorithmException) {
        Log.e("My tag", noSuchAlgorithmException.getMessage());
    }
}

And the converter method that outputs a hexa string from an array of bytes:

public static String bytesToHex(byte[] bytes) {
    final StringBuilder builder = new StringBuilder();
    for(byte aByte : bytes) {
        builder.append(String.format("%02x", aByte));
    }
    return builder.toString();
}

Using this you can implement validation systems between your app and backend. This way the backend knows if the app that does a request has this extra security layer or not :).

That outputs something like:

2020-04-17 17:37:58.429 13222-13222/ro.funcode.stirisinoutatimodule E/KEY HASH (SHA-256):: CYCi/W8mXfCf7asdabCQvc71+DpiyasdsdQizELw=
2020-04-17 17:37:58.441 13222-13222/ro.funcode.stirisinoutatimodule E/KEY HASH Hex (SHA-256):: 0980A2FD6F26DDSADASD234AF809B090BDCEF5F83A62CA7CADAFASB310BC

Exit mobile version