How to Verify an APK File Signature on Android

Introduction / Why This Is Needed

An APK file's digital signature is a cryptographic tag that a developer adds to an app before publishing. It guarantees that:

The app has not been altered after signing (integrity).
The app genuinely comes from the stated developer (authenticity).

Signature verification is relevant when you:

Download an APK from unofficial sources and want to ensure its safety.
Debug your own app and need to confirm the build is signed with the correct key.
Troubleshoot installation issues (e.g., INSTALL_PARSE_FAILED_NO_CERTIFICATES error).

This guide will show you how to quickly verify the signature of any APK file on an Android device or computer.

Requirements / Preparation

Before you begin, ensure you have:

An Android device or an APK file on your computer.
ADB (Android Debug Bridge) installed. It is included in the Android SDK Platform-Tools. After installation, add the platform-tools folder to your system PATH.
USB debugging enabled on the device (Settings → Developer options → USB debugging).
Basic command-line skills (terminal, cmd, PowerShell).

💡 Tip: If you're verifying an APK that's already on your computer, you don't need ADB or a device. Utilities like apksigner or jarsigner are sufficient.

Step-by-Step Instructions

Step 1: Prepare the Environment and Device

Connect your Android device to your computer via USB.
Open a terminal (Linux/macOS) or PowerShell/cmd (Windows).
Check that ADB sees your device:
```
adb devices
```
Your device should appear in the list with the status device. If not, install drivers (Windows) or authorize debugging on the device.

Step 2: Determine the APK File Path

If the APK is on the device:

Find the app's package name (e.g., com.example.app). Get the full APK path with:
```
adb shell pm list packages -f | grep "com.example.app"
```
The output will look like: package:/data/app/com.example.app-1/base.apk. That's the path.

If the APK is on the computer:

Simply locate the file. For example, C:\Downloads\app.apk or ~/Downloads/app.apk.

Step 3: Verify the Signature with apksigner (Recommended)

The apksigner tool is part of the Android SDK Build-Tools (from version 24.0.0). It supports all modern signing schemes (v1, v2, v3).

Run the command, replacing <apk_path> with the actual path:

apksigner verify --verbose <apk_path>

Example for an APK on the computer:

apksigner verify --verbose ~/Downloads/myapp.apk

Example for an APK on the device (first copy it to the computer):

adb pull /data/app/com.example.app-1/base.apk .
apksigner verify --verbose base.apk

Expected output on success:

Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
...

If you see Verifies and true for at least one scheme, the signature is valid.

Step 4: Alternative: Verification via jarsigner

If apksigner is unavailable (e.g., in very old SDKs) or you only need to check the old v1 signing scheme, use jarsigner—a tool from the Java Development Kit (JDK).

jarsigner -verify -verbose -certs <apk_path>

Example:

jarsigner -verify -verbose -certs base.apk

Expected output:

jar verified.
...

If jar verified. appears at the end, the v1 signature is valid.

⚠️ Important: jarsigner does not check v2/v3 schemes. Even if jarsigner passes, the APK might be unsigned via v2, causing errors on Android 7.0+ devices.

Step 5: Analyze the Result

Success: Output contains Verified (apksigner) or jar verified. (jarsigner). The signature is valid, and the file is unmodified.
"No signatures found" error: The file is not signed at all. Such APKs cannot be installed on Android.
"certificate not found" or "signature block not found" error: The signature is damaged or the file was modified after signing.
Warnings about an expired certificate: The signature is technically valid, but the certificate's validity period has ended. This usually doesn't block installation but may cause issues with updates.

After running the commands, you should get a clear answer. The most reliable indicator is the phrase Verified using v2 scheme from apksigner. It guarantees the app will pass verification on all modern Android devices (7.0+).

If verification succeeds, you can be confident:

The APK has not been modified by unknown parties.
The app originates from the owner of the private key used for signing.

Potential Issues

ADB doesn't see the device

Ensure USB debugging is enabled.
Try reconnecting the cable or using a different port.
On Windows, check if ADB drivers are installed (try adb kill-server and adb start-server).

apksigner/jarsigner not found

Ensure Android SDK Build-Tools (for apksigner) or JDK (for jarsigner) are installed and added to PATH.
The full path to apksigner is typically: ~/Library/Android/sdk/build-tools/<version>/apksigner (macOS/Linux) or C:\Users\<user>\AppData\Local\Android\Sdk\build-tools\<version>\apksigner.bat (Windows).

"Failed to read key from APK" error

The APK file may be corrupted or encrypted. Try downloading/building it again.
Ensure you're providing the path to an APK file, not a ZIP archive or other format.

Signing certificate expired

This doesn't block installation but may prevent app updates via Google Play if the new build is signed with the same expired key.
Solution: Re-sign the app with a new key (requires changing the update key, which isn't always possible).

F.A.Q.

Why verify an APK file signature?

Can I verify the signature without ADB?

What does the 'No signatures found' error mean?

What's the difference between `apksigner` and `jarsigner`?

Hints

Prepare the environment and device

Determine the APK file path

Verify the signature using apksigner (recommended)

Alternative: verification via jarsigner

Analyze the result