For Android developers managing their own signing keys, the SHA-256 certificate fingerprint is your app’s unique, cryptographic identity. This guide shows you three methods to retrieve it from either a signed APK file or the original keystore.
Retrieving the SHA-256 from an APK File
These methods are useful if you have the final, signed APK file but may not have easy access to the original keystore or its passwords.
Method 1A: Using apksigner (Recommended for APKs)
The apksigner tool is the most modern and reliable way to extract signature information from an APK, regardless of whether it uses V1, V2, V3, or V4 signing schemes.
Step 1: Locate apksigner
(Example: /Users/username/Library/Android/sdk/build-tools/34.0.0/apksigner)
Step 2: Run the command
Open your terminal or command prompt, navigate to the directory where your APK is saved, and execute the following command:
apksigner verify --print-certs <path/to/your/app.apk>
Step 3: Locate the SHA-256 fingerprint
The output will list the certificate details for each signer. Locate the SHA-256 digest label:
Signer #1 certificate SHA-256 digest:
a32a43cd459f7ce6b82c552f5d876989d53e6af1c0b2d35fb677b51a1dc4f0e5
The long string of colon-separated hexadecimal characters is your SHA-256 certificate fingerprint.
Method 1B: Using keytool on an APK
Step 1: Locate keytool and the APK
Ensure you know the location of both the keytool utility (part of your JDK installation) and the signed APK file.
Step 2: Run the command
Use the following command, specifying the signed APK file as the keystore:
keytool -printcert -jarfile <path/to/your/app.apk>
Step 3: Locate the SHA-256 Fingerprint
The output will include the Certificate fingerprints section. Look for the SHA-256 line.
Retrieving SHA-256 from a keystore file
This is the de-facto method for extracting the certificate fingerprint from your source keystore file on any operating system.
This is the de-facto method for extracting the certificate fingerprint from your source keystore file on any operating system.
Method 2: Using the standard keytool utility
Step 1: Locate tools and keystore file
You require:
- Your keystore file: The file used to sign your app (.jks or .keystore). You must know its path, password, and the alias name of the key inside it.
- The keytool utility: This tool is included with the Java Development Kit (JDK).
| Operating System | Keytool location |
| Windows | Typically in the bin directory of your JDK installation (for example, C:\Program Files\Java\jdk-xx\bin\). |
| macOS / Linux | Generally available directly in your terminal once the JDK is installed. |
Step 2: Navigate to correct location
Open your terminal or command prompt. To simplify the next step, you can navigate to the directory containing your keystore file:
# Example: Replace with your actual path
cd /path/to/your/keystore/directory
Step 3: Run the command
Use the following command to instruct keytool to list the certificate details in verbose mode.
Note: If keytool is not recognized, you must specify the full path to the utility (for example, "/path/to/jdk/bin/keytool").
keytool -list -v -keystore [your_keystore_name.jks] -alias [your_key_alias]
- Replace [your_keystore_name.jks] with the actual name of your file.
- Replace [your_key_alias] with the specific alias name of your signing key (for example, mykey).
Step 4: Locate the SHA-256 fingerprint
The utility will prompt you for your keystore password. Once entered, the output will display the certificate details.
Look for the Certificate fingerprints section:
Certificate fingerprints:
SHA1: XX:XX:XX:XX:XX:...
SHA256: 0A:B3:C6:D9:E2:F5:81:B4:C7:D0:E3:F6:92:A5:B8:C1:D4:E7:F0:83:96:A9:BC:D1:E4:F7:03:96:A9:BC:D1:E4
Signature algorithm name: SHA256withRSA
...
The long string of colon-separated hexadecimal characters next to SHA256: is your public SHA-256 certificate fingerprint.