In general, we can get the certificate information as shown in the following figure by executing keytool -printcert -jarfile a.apk with the help of the keytool tool that comes with Java.
However, when batch operations are performed on hundreds of APK, it is found that there are several APK. When executing the above command, you will be prompted "This is not a signed jar file".
If you just want to solve this problem, it's simple. You just need to extract META-INF/*. RSA file in apk package, and then call keytool -printcert -file CERT. RSA (For ordinary APK, these two commands get the same result).
But I also hope to further explore the reasons, because the source code of keytool can't be found on the Internet, so I can only find another way.
Through search, a tool for extracting apk certificate information, Java provides a tool called jarsigner besides keytool. Next,
Try to call jarsigner -verify * when 1). For every apk that keytool can't parse, there is such a sentence in the result.
Because the jar is signed with a weak algorithm that is currently disabled, the jar will be considered unsigned.
2) When trying to call the above command to apk where keytool can extract information normally, there is no such prompt in the result.
So my final guess is that once Keytool detects a weak algorithm signature, it will prompt that it is not a signed jar file.
At present, we can only analyze this point, and there is still an unsolved mystery: why is the signature algorithm in keytool -printcert -file a.RSA different from that in jarsigner -certs -verify a.apk?
Please correct me if there are any mistakes in this article ~