Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add retrieve fingerprints page and consolidate - Android SDK #1266

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add retrieve fingerprints page and consolidate - Android SDK #1266

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
201 changes: 201 additions & 0 deletions ...ntent/docs/en/sdk/android/v4/integrations/retrieve-certificate-fingerprints.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,201 @@
---
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested changes in this file also apply in the v5 file.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

title: Retrieve Android certificate fingerprints
description: Retrieve Android certificate fingerprints to configure Adjust features
slug: en/sdk/android/v4/integrations/retrieve-certificate-fingerprints
versions:
- label: v5
value: v5
default: true
- label: v4
value: v4
redirects:
v5: /en/sdk/android/integrations/retrieve-certificate-fingerprints
---

A certificate fingerprint is a cryptographic hash of the public information held within a certificate. As described in [Google's documentation](https://developer.android.com/studio/publish/app-signing#api-providers), certificate fingerprints are public information designed to be used by third-parties for Android app verification. Adjust never requests private app signing keys.

Adjust uses certificate fingerprints for the following features:

| Feature | Hashing algorithm | Example |
| ---------------------------------------------------------------------------------------------------- | ----------------- | ----------------------------------------------------------------------------------------------- |
| [SDK Signature](https://help.adjust.com/en/article/sdk-signature#add-signatures-in-the-adjust-suite) | SHA-1 | C4:BD:07:91:BC:09:F8:B6:15:CD:BC:A3:3F:BC:68:8B:C2:EF:4F:F5 |
| [Android App Links](https://help.adjust.com/en/article/set-up-android-app-links#set-up-in-appview) | SHA-256 | 55:FB:97:0F:46:0F:94:EC:07:EA:01:69:50:5A:20:3F:A0:91:60:A4:F1:33:58:EA:76:DC:54:9E:A7:6A:B9:1A |

Check the table below for the best way to get certificate fingerprints based on your app's distribution methods. When configuring the Adjust dashboard, be sure to add all certificate fingerprints that are applicable for your builds.

| Hosting service | Recommended approach |
| ---------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
| Google Play | [Google Play Console](#from-google-play-console) |
| Google Play test track | [Google Play Console - Internal app sharing](#from-google-play-console---internal-app-sharing) |
| Huawei AppGallery - App Signing Enabled | [AppGallery Connect](#from-appgallery-connect) |
| • Huawei AppGallery - App Signing Disabled <br />• Other store, or direct APK download <br />• Local debug build | [Keystore](#from-a-keystore) or [APK](#from-an-apk) |

#### From Google Play Console {#from-google-play-console}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest adding an initial sentence explaining that both the signing key certificate fingerprint and the upload key certificate fingerprint may be required. Otherwise, steps 3 and 4 may be confusing.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

<Callout type="note">
If both the **App signing key certificate** and **Upload key certificate**
sections are present, then you have to retrieve and configure certificate
fingerprints for both in the Adjust dashboard.
</Callout>

1. In [Google Play Console](https://play.google.com/console), go to your app.
2. On the menu on the left side, select **Test and release** > select **Setup** > **App signing**.
3. If you're using Play App Signing, the **App signing key certificate** section will be present. In this section, copy the **SHA-1 certificate fingerprint** and/or **SHA-256 certificate fingerprint**.

![Screenshot of the app signing key certificate page in Google Play Console](@images/sig-v3/google-play-app-signing.png)

4. Under **Upload key certificate**, copy the **SHA-1 certificate fingerprint** and/or **SHA-256 certificate fingerprint**.

![Screenshot of the upload key certificate page in Google Play Console](@images/sig-v3/google-play-upload.png)

#### From Google Play Console - Internal app sharing {#from-google-play-console---internal-app-sharing}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previously, we required the upload key certificate fingerprint for the internal app sharing case as well. In theory, it's not necessary, and it was asked simply because the old Google page layout had all certificates mixed together (just like in the previous case for release versions), making errors very common. Can you confirm that the Internal app sharing section of the Play Console now shows only a single certificate? If so, then no action is required. Otherwise, please include the upload key certificate fingerprint as well. It will avoid errors.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I confirm that the latest version of the Play Console internal app sharing section shows only a single certificate.

1. In [Google Play Console](https://play.google.com/console), go to your app.
2. On the menu on the left side, select **Test and release** > select **Testing** > **Internal app sharing**.
3. Under **Internal test certificate**, copy the **SHA-1 certificate fingerprint** and/or **SHA-256 certificate fingerprint**.

![Screenshot of the internal app sharing key certificate page in Google Play Console](@images/sig-v3/google-play-internal-app-sharing.png)

#### From AppGallery Connect {#from-appgallery-connect}

If you use Huawei App Signing, follow the below instructions. If you don't use Huawei App Signing, retrieve your certificate fingerprints [from a keystore](#from-a-keystore) or [from an APK](#from-an-apk).

<Callout type="note">
Retrieve and configure certificate fingerprints in the Adjust dashboard for
both the **App Signature Certificate** and **Upload Certificate**.
</Callout>

<Tabs>
<Tab title="SHA-1" sync="sha-1">
1. In [AppGallery Connect](https://developer.huawei.com/consumer/en/service/josp/agc/index.html), select **My Apps**.
2. Select your app.
3. Under **Services**, go to **App Signing**.
4. Under **App Signature Certificate** and **Upload Certificate**, respectively, select **Download Certificate**.

![Screenshot of the certificate page in Huawei AppGallery](@images/sig-v3/huawei-sha1.png)

5. If needed, install OpenSSL:

- macOS: `brew install openssl`
- Linux: Usually pre-installed or use your package manager
- Windows: Use Microsoft's vcpkg package manager or Windows Subsystem for Linux (WSL)

6. Run the below `openssl` command on each certificate file `<certificate.pem>`:

```bash
openssl x509 -fingerprint -in <certificate.pem> -noout -SHA1
```

7. Retrieve each SHA1 from the output:

```
SHA1 Fingerprint=C4:BD:07:91:BC:09:F8:B6:15:CD:BC:A3:3F:BC:68:8B:C2:EF:4F:F5
```

</Tab>
<Tab title="SHA-256" sync="sha-256">
1. In [AppGallery Connect](https://developer.huawei.com/consumer/en/service/josp/agc/index.html), select **My Apps**.
2. Select your app.
3. Under **Services**, go to **App Signing**.
4. Under **App Signature Certificate** and **Upload Certificate**, respectively, copy each SHA-256 certificate fingerprint.

![Screenshot of the certificate page in Huawei AppGallery](@images/sig-v3/huawei-sha256.png)

</Tab>
</Tabs>

#### From a keystore {#from-a-keystore}

<Callout type="note">
- The below steps require Java to be installed.
- If your build has the Adjust SDK set to the sandbox environment, then SDK Signature
will always pass, so it's not necessary to retrieve the certificate fingerprint for that
build. However, setting up Android App Links requires certificate fingerprints for all builds.
</Callout>

To retrieve certificate fingerprints from your keystore, follow these steps:

1. Locate your keystore:
- Self-managed keystore: path to the folder containing your .jks file
- Android default debug keystore:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The debug certificate fingerprints are not necessary anymore. I suggest removing this (and the corresponding commands below) to avoid any confusion.

Copy link
Collaborator Author

@DaveMeadAdjust DaveMeadAdjust Mar 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm assuming you mean that default debug certificate fingerprints are not necessary for SDK Signature anymore? They are still required for Android App Links, so I left these instructions in place with some additional notes.

- macOS/Linux: `~/.android/debug.keystore`
- Windows: `%USERPROFILE%\.android\debug.keystore`
2. Run the below `keytool` command, replacing the parameter values:

```bash
# For a self-managed keystore (replace with path to your .jks file):
keytool -list -v -keystore </path/to/keystore.jks> -alias <your_key_alias>

# For the Android default debug keystore:
keytool -list -v -keystore ~/.android/debug.keystore -alias androiddebugkey
```

3. When prompted for the password, do the following:
- For a self-managed keystore, enter the password you set during keystore generation.
- For the Android default debug keystore, enter `android`.
4. Retrieve the SHA1 and/or SHA256 values from the output:

```
[...]

SHA1: C4:BD:07:91:BC:09:F8:B6:15:CD:BC:A3:3F:BC:68:8B:C2:EF:4F:F5
SHA256: 55:FB:97:0F:46:0F:94:EC:07:EA:01:69:50:5A:20:3F:A0:91:60:A4:F1:33:58:EA:76:DC:54:9E:A7:6A:B9:1A

[...]
```

#### From an APK {#from-an-apk}

<Callout type="note">
If your build has the Adjust SDK set to the sandbox environment, then SDK
Signature will always pass, so it's not necessary to retrieve the certificate
fingerprint for that build. However, setting up Android App Links requires
certificate fingerprints for all builds.
</Callout>

To retrieve certificate fingerprints used to sign your APK, follow these steps:

1. If needed, install [Android Studio](https://developer.android.com/studio) to get the [apksigner](https://developer.android.com/tools/apksigner) command.
- During Android Studio installation, ensure the Android SDK is installed (it's included by default).
- The Android SDK build-tools will be installed in the below locations:
- macOS/Linux: `~/Library/Android/sdk/build-tools/<version>/`
- Windows: `%LOCALAPPDATA%\Android\Sdk\build-tools\<version>\`
2. Run the below `apksigner` command, replacing the parameter value:
```bash
apksigner verify -v --print-certs <app.apk>
```
3. Retrieve the SHA-1 and/or SHA-256 values from the output. Apps may show a single signature:

```
[...]

Signer #1 certificate SHA-1 digest: c4bd0791bc09f8b615cdbca33fbc688bc2ef4ff5
Signer #1 certificate SHA-256 digest: 55fb970f460f94ec07ea0169505a203fa09160a4f13358ea76dc549ea76ab91a

[...]
```

Or multiple signatures:

```
[...]

Signer (minSdkVersion=24, maxSdkVersion=32) certificate SHA-1 digest: c4bd0791bc09f8b615cdbca33fbc688bc2ef4ff5
Signer (minSdkVersion=24, maxSdkVersion=32) certificate SHA-256 digest: 55fb970f460f94ec07ea0169505a203fa09160a4f13358ea76dc549ea76ab91a

[...]

Signer (minSdkVersion=33, maxSdkVersion=2147483647) certificate SHA-1 digest: 9a3237ad99a97e8ea72df4fb096f28d544d5b8
Signer (minSdkVersion=33, maxSdkVersion=2147483647) certificate SHA-256 digest: 92e961bf8b67043d1af6061b4a926f6a94e2bb78b46a096639e8e2c2fb7784b0

[...]
```

If multiple signatures are present, you'll need to configure all of them in the Adjust dashboard.

<Callout type="note">
The Adjust dashboard requires SHA-256 certificate fingerprints for Android
App Links to be entered with colons separating each pair of characters (for
example:
55:fb:97:0f:46:0f:94:ec:07:ea:01:69:50:5a:20:3f:a0:91:60:a4:f1:33:58:ea:76:dc:54:9e:a7:6a:b9:1a).
</Callout>
114 changes: 3 additions & 111 deletions src/content/docs/en/sdk/android/v4/integrations/signature-library.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,122 +122,14 @@ The Signature library can’t verify the authenticity of your certificate finger

You must add the fingerprints of your signing certificates to the allowlist. If no fingerprints are added to the allowlist, traffic from your app can be spoofed.

</Callout>

#### From a keystore {#from-a-keystore}

If you use your own keystore, or if Android Studio generated a keystore for you, you can retrieve the certificate fingerprint by following these steps:

1. Find the keystore file (`.jks`) you used to sign **the release version of your app**. The keystore must be the one you used to sign the release version sent to the Google Play Store. If the keystore is different, your SDK requests will be rejected.
2. Run the following command to list your keys. Replace the parts in angle brackets with your information.

```console
$ keytool -list -v -keystore <path/to/keystore.jks> -alias <your_key_alias>
```

This command prompts you for your keystore password. This is the password you defined when you generated the keystore.

The final output looks like this:

```text
Alias name: Key0
Creation date: May 15, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=[Adjust, GmbH.]
Issuer: CN=[Adjust, GmbH.]
Serial number: 642f1b62
Valid from: Tue May 15 09:46:06 CEST 2018 until: Sat May 09
09:46:06 CEST 2043
Certificate fingerprints:
MD5: E7:88:9F:8C:9D:F4:14:C1:CF:E8:4C:97:F3:F2:3A:E3
SHA1:
C4:BD:07:91:BC:09:F8:B6:15:CD:BC:A3:3F:BC:68:8B:C2:EF:4F:F5
SHA256:
55:FB:97:0F:46:0F:94:EC:07:EA:01:69:50:5A:20:3F:A0:91:60:A4:F
1:33:58:EA:76:DC:54:9E:A7:6A:B9:1A
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
```

3. Save the SHA-1 fingerprint to [add to your allowlist in the Adjust Suite](#add-your-digital-certificate-fingerprints-to-adjusts-allowlist).

#### From Google Play Internal App Sharing {#from-google-play-internal-app-sharing}

If you use [Google Play Internal App Sharing](https://support.google.com/googleplay/android-developer/answer/9303479?hl=en), you need to send both your organization’s SHA-1 certificate fingerprint and your Internal test certificate fingerprint to Adjust for allowlisting.

To extract the fingerprints:

1. Navigate to the Google Play Console and log in.
2. Select your app.
3. Select **Release Management --> App Releases --> Manage internal app sharing > App certificates**.
4. Save the **SHA-1 certificate fingerprint** for both the **Internal test certificate** and your organization’s keystore to [add to your allowlist in the Adjust Suite](#add-your-digital-certificate-fingerprints-to-adjusts-allowlist).

![A screenshot of the certficate page in Google Play Console](@images/sig-v3/google-play-internal-sharing.png)

#### From Google Play App Signing {#from-google-play-app-signing}

If you use [Google Play App Signing](https://support.google.com/googleplay/android-developer/answer/7384423?hl=en), you need to send both your organization’s SHA-1 certificate fingerprint and your Internal test certificate fingerprint to Adjust for allowlisting.

To extract the fingerprints:

1. Navigate to the Google Play Console and log in.
2. Select your app.
3. Select **Release Management > App Signing**.
4. Save the **SHA-1 certificate fingerprint** for both the **App signing certificate** and **Upload certificate** to send to Adjust.

![A screenshot of the App signing page in the Google Play Console](@images/sig-v3/google-play-signing.png)

#### From Huawei AppGallery App Signing {#from-huawei-appgallery-app-signing}

If you use Huawei AppGallery App Signing, you need to send both your organization’s SHA-1 certificate fingerprint and your Internal test certificate fingerprint to Adjust for allowlisting.

<Callout type="note">

If you use your own signing certificate with Huawei AppGallery, follow the [instructions for retrieving your certificate fingerprint from a keystore](#from-a-keystore).

</Callout>

To extract the fingerprints:

1. Navigate to the App Signing page in AppGallery Connect and download the App signing certificate (`certificate.pem`).

![A screenshot of the App Signing page in AppGallery Connect](@images/sig-v3/huawei-appgallery-signing.png)

2. Once you’ve downloaded the certificate, run the following command to output the SHA-1 fingerprint of the certificate.

```console
$ openssl x509 -fingerprint -in certificate.pem -noout -SHA1
```

The output looks like this:

```text
SHA1 Fingerprint=C4:BD:07:91:BC:09:F8:B6:15:CD:BC:A3:3F:BC:68:8B:C2:EF:4F:F5
```

3. Save the fingerprint to [add to your allowlist in the Adjust Suite](#add-your-digital-certificate-fingerprints-to-adjusts-allowlist)..

### Add your digital certificate fingerprints to Adjust’s allowlist {#add-your-digital-certificate-fingerprints-to-adjust-s-allowlist}

<Callout type="note">

Remember to add all certificate fingerprints you want to use to the Adjust suite. This might include debug versions and versions for different stores.

</Callout>

Once you’ve obtained your certificate fingerprints, do the following to add them to your allowlist:

1. Select your app in AppView to open the app details screen.
2. Select the **Protection** tab.
3. Select the **Edit** button on the **Suspicious installs** section.
4. Under the **Android fingerprinting** section, select **New fingerprint**.
5. Paste the SHA-1 fingerprint into the text box that appears.
6. Select **Add**.
Follow these steps to retrieve and configure your certificate fingerprints:

That’s it! Your fingerprint is now allowlisted for your app.
1. [Retrieve Android certificate fingerprints](/en/sdk/android/integrations/retrieve-certificate-fingerprints)
2. [Configure them in the Adjust dashboard](https://help.adjust.com/en/article/sdk-signature#add-signatures-in-the-adjust-suite)

## Test your app {#test-your-app}

Expand Down
Loading
Loading