First, unzip the APK and extract the file /META-INF/ANDROID_.RSA (this file may also be CERT.RSA, but there should only be one .RSA file).

首先，解压APK并解压文件/META-INF/ANDROID_.RSA（这个文件也可能是CERT.RSA，但应该只有一个.RSA文件）。

Then issue this command:

然后发出这个命令：

keytool -printcert -file ANDROID_.RSA

You will get certificate fingerprints like this:

你会得到这样的证书指纹：

     MD5:  B3:4F:BE:07:AA:78:24:DC:CA:92:36:FF:AE:8C:17:DB
     SHA1: 16:59:E7:E3:0C:AA:7A:0D:F2:0D:05:20:12:A8:85:0B:32:C5:4F:68
     Signature algorithm name: SHA1withRSA

Then use the keytool again to print out all the aliases of your signing keystore:

然后再次使用 keytool 打印出签名密钥库的所有别名：

keytool -list -keystore my-signing-key.keystore

You will get a list of aliases and their certificate fingerprint:

您将获得别名列表及其证书指纹：

android_key, Jan 23, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): B3:4F:BE:07:AA:78:24:DC:CA:92:36:FF:AE:8C:17:DB

Voila! we can now determined the apk has been signed with this keystore, and with the alias 'android_key'.

瞧！我们现在可以确定 apk 已使用此密钥库签名，并使用别名“android_key”。

Keytool is part of Java, so make sure your PATH has Java installation dir in it.

Keytool 是 Java 的一部分，因此请确保您的 PATH 中包含 Java 安装目录。

You can use Java 7's Key and Certificate Management Tool keytoolto check the signature of a keystore or an APK without extracting any files.

您可以使用 Java 7 的密钥和证书管理工具keytool来检查密钥库或 APK 的签名，而无需提取任何文件。

Signature of an APK

APK 的签名

keytool -printcert -jarfile app.apk

The output will reveal the signature owner/issuer and MD5, SHA1 and SHA256 fingerprints of the APK file app.apk.

输出将显示 APK 文件的签名所有者/发行者和 MD5、SHA1 和 SHA256 指纹app.apk。

(Note that the -jarfileargument was introduced in Java 7; see the documentationfor more details.)

（请注意，该-jarfile参数是在 Java 7 中引入的；有关更多详细信息，请参阅文档。）

Signature of a keystore

密钥库的签名

keytool -list -v -keystore release.jks

The output will reveal the aliases (entries) in the keystore file release.jks, with the certificate fingerprints (MD5, SHA1 and SHA256).

输出将显示密钥库文件中的别名（条目）release.jks以及证书指纹（MD5、SHA1 和 SHA256）。

If the SHA1 fingerprints between the APK and the keystore match, then you can rest assured that that app is signed with the key.

如果 APK 和密钥库之间的 SHA1 指纹匹配，那么您可以放心，该应用程序是使用密钥签名的。

To build on Paul Lammertsma's answer, this command will print the names and signatures of all APKs in the current dir (I'm using sh because later I need to pipe the output to grep):

为了以 Paul Lammertsma 的回答为基础，此命令将打印当前目录中所有 APK 的名称和签名（我正在使用 sh，因为稍后我需要将输出通过管道传输到 grep）：

find . -name "*.apk" -exec echo "APK: {}" \; -exec sh -c 'keytool -printcert -jarfile "{}"' \;

find . -name "*.apk" -exec echo "APK: {}" \; -exec sh -c 'keytool -printcert -jarfile "{}"' \;

Sample output:

示例输出：

APK: ./com.google.android.youtube-10.39.54-107954130-minAPI15.apk
Signer #1:

Signature:

Owner: CN=Unknown, OU="Google, Inc", O="Google, Inc", L=Mountain View, ST=CA, C=US
Issuer: CN=Unknown, OU="Google, Inc", O="Google, Inc", L=Mountain View, ST=CA, C=US
Serial number: 4934987e
Valid from: Mon Dec 01 18:07:58 PST 2008 until: Fri Apr 18 19:07:58 PDT 2036
Certificate fingerprints:
         MD5:  D0:46:FC:5D:1F:C3:CD:0E:57:C5:44:40:97:CD:54:49
         SHA1: 24:BB:24:C0:5E:47:E0:AE:FA:68:A5:8A:76:61:79:D9:B6:13:A6:00
         SHA256: 3D:7A:12:23:01:9A:A3:9D:9E:A0:E3:43:6A:B7:C0:89:6B:FB:4F:B6:79:F4:DE:5F:E7:C2:3F:32:6C:8F:99:4A
         Signature algorithm name: MD5withRSA
         Version: 1

APK: ./com.google.android.youtube_10.40.56-108056134_minAPI15_maxAPI22(armeabi-v7a)(480dpi).apk
Signer #1:

Signature:

Owner: CN=Unknown, OU="Google, Inc", O="Google, Inc", L=Mountain View, ST=CA, C=US
Issuer: CN=Unknown, OU="Google, Inc", O="Google, Inc", L=Mountain View, ST=CA, C=US
Serial number: 4934987e
Valid from: Mon Dec 01 18:07:58 PST 2008 until: Fri Apr 18 19:07:58 PDT 2036
Certificate fingerprints:
         MD5:  D0:46:FC:5D:1F:C3:CD:0E:57:C5:44:40:97:CD:54:49
         SHA1: 24:BB:24:C0:5E:47:E0:AE:FA:68:A5:8A:76:61:79:D9:B6:13:A6:00
         SHA256: 3D:7A:12:23:01:9A:A3:9D:9E:A0:E3:43:6A:B7:C0:89:6B:FB:4F:B6:79:F4:DE:5F:E7:C2:3F:32:6C:8F:99:4A
         Signature algorithm name: MD5withRSA
         Version: 1

Or if you just care about SHA1:

或者，如果您只关心 SHA1：

find . -name "*.apk" -exec echo "APK: {}" \; -exec sh -c 'keytool -printcert -jarfile "{}" | grep SHA1' \;

find . -name "*.apk" -exec echo "APK: {}" \; -exec sh -c 'keytool -printcert -jarfile "{}" | grep SHA1' \;

Sample output:

示例输出：

APK: ./com.google.android.youtube-10.39.54-107954130-minAPI15.apk
         SHA1: 24:BB:24:C0:5E:47:E0:AE:FA:68:A5:8A:76:61:79:D9:B6:13:A6:00
APK: ./com.google.android.youtube_10.40.56-108056134_minAPI15_maxAPI22(armeabi-v7a)(480dpi).apk
         SHA1: 24:BB:24:C0:5E:47:E0:AE:FA:68:A5:8A:76:61:79:D9:B6:13:A6:00

Much easier way to view the signing certificate:

查看签名证书的更简单方法：

jarsigner.exe -verbose -verify -certs myapk.apk

This will only show the DN, so if you have two certs with the same DN, you might have to compare by fingerprint.

这只会显示 DN，因此如果您有两个具有相同 DN 的证书，则可能需要通过指纹进行比较。

There are many freewares to examine the certificates and key stores such as KeyStore Explorer.

有许多免费软件可以检查证书和密钥库，例如KeyStore Explorer。

Unzip the apk and open the META-INF/?.RSA file. ? shall be CERT or ANDROID or may be something else. It will display all the information associated with your apk.

解压 apk 并打开 META-INF/?.RSA 文件。? 应该是 CERT 或 ANDROID 或者可能是其他东西。它将显示与您的 apk 相关的所有信息。

You can do this with the apksignertool that is part of the Android SDK:

您可以使用apksigner作为 Android SDK 一部分的工具执行此操作：

apksigner verify --print-certs my_app.apk

apksigner verify --print-certs my_app.apk

You can find apksigner inside the build-tools directory. For example: ~/Library/Android/sdk/build-tools/29.0.1/apksigner

您可以在 build-tools 目录中找到 apksigner。例如： ~/Library/Android/sdk/build-tools/29.0.1/apksigner