How to identify install application is using which certificate in android

Question

I have situations in which I changed the release apk signing certificate after rollout to the customers. Now I want to send an update using a different certificate but as the installed application is signed with a previous certificate so that auto-update is not working due to mismatch signatures.

I have another application that I am now planning to use to uninstall the already installed application first and then download and install it again with this helper app. Problem is that I don't want to use the versionCode etc to identify which version of the older app should need to uninstall and then install it back. Is it possible to find the certificate info of any package and track out that it was signed with an older certificate so should need to delete first etc?

Let say an older app was signed with this signature:

release {
            storeFile file("../myapp-release.keystore")
            storePassword "12345"
            keyAlias "track-release"
            keyPassword "12345"
        }

and now the target app is using this signature to build a release apk:

release_new_devices {
            storeFile file("../myapp-release.keystore")
            storePassword "12345"
            keyAlias "track2-release"
            keyPassword "12345"
        }

Is it possible to find keyAlias of this installed app and can identify this?

Answer 1

I found a way to compare the signature this way. First, need to get the SHA1 value from the old apk using the below command:

keytool -printcert -jarfile myapp.apk

Now, from code use the following method to compare the signature.

  private static final String APP_SIGNATURE = "12fcR123+k8Yl0V3Ussd2CBpgT43=";

            PackageInfo packageInfo = mContext.getPackageManager().getPackageInfo(
                    Your_PACKAGE_NAME, PackageManager.GET_SIGNATURES);
            //note sample just checks the first signature
            for (Signature signature : packageInfo.signatures) {
                // SHA1 the signature
                String sha1 = getSHA1(signature.toByteArray());
                // check is matches hardcoded value
                boolean isMatch = APP_SIGNATURE.equals(sha1);

                Log.i(TAG, "SIGnature: " + isMatch +" of sha1: "+sha1);
            }