MATTR Learn

When embedding remote verification capabilities into a mobile application, it’s important to ensure that only trusted applications can make verification requests to your MATTR VII verifier tenant.

For Android applications specifically, this is done by configuring the packageSigningCertificateThumbprints property when creating the MATTR VII Verifier Application.

Every Android app must be signed with a certificate before it can be installed. This signing certificate identifies the developer or organization responsible for the app and is used by Android to verify authenticity and integrity.

When integrating with MATTR verification capabilities, the package signing certificate thumbprint acts as a unique cryptographic identifier for your app’s signing key.

By verifying this thumbprint, the Verifier can confirm that the incoming request originated from a trusted and unmodified app.

If the thumbprint doesn’t match exactly, the Verifier will reject the request. This ensures that only trusted client applications — those signed with a matching certificate — can initiate verification requests.

The purpose of this page is to explain how to obtain the signing certificate thumbprint for your Android app.

Go to Google Play Console > Setup > App Signing.
Locate the SHA-256 fingerprint under App Signing Key Certificate.

Google Play Console

Copy the SHA-256 value.
Remove all : characters and convert the string to lowercase.

Example conversion

const fingerprint = '91:F7:CB:F9:D6:81:53:1B:C7:A5:8F:B8:33:CC:A1:4D:AB:ED:E5:09:C5';
// Remove colons and convert to lowercase
const sha256Hex = fingerprint.replaceAll(":", "").toLowerCase();
console.log(sha256Hex)

Upload the processed value as your packageSigningCertificate in your Verifier Application configuration.

For more information, refer to Google's documentation on Play App Signing Overview and Manage App Signing Keys in Google Play Console.

Manual signing (CLI)

Retrieve the SHA-256 fingerprint using the keytool command:

Command to get SHA-256 fingerprint

keytool -list -keystore <path-to-your-keystore>

Copy the SHA-256 value.
Remove all : characters and convert the string to lowercase.

Example conversion

const fingerprint = '91:F7:CB:F9:D6:81:53:1B:C7:A5:8F:B8:33:CC:A1:4D:AB:ED:E5:09:C5:12:34:56:78:9A:BC:DE:F0:12:34:56:78:9A:BC:DE:F0:12:34:56:78:9A:BC:DE:F0:12:34:56:78:9A:BC:DE:F0';
const sha256Hex = fingerprint.replaceAll(":", "").toLowerCase();
console.log(sha256Hex)

Upload the processed value as your packageSigningCertificate in your Verifier Application configuration.

Local builds (Debug)

Extract the signing certificate information directly from the .apk file using the apksigner tool:

Command to get SHA-256 fingerprint from APK

apksigner verify --print-certs path/to/your-debug-apk.apk

Example output

Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: f59105881315e61502274a499d6efc2d7cc71c5cae266e598290d36b59221f6d
Signer #1 certificate SHA-1 digest: ca09773016ef4db66344ce0dac2827429ea875f1
Signer #1 certificate MD5 digest: c59905769e42c09530898c6dc413258f

Copy the SHA-256 digest and upload it as your packageSigningCertificate in your Verifier configuration.

The default debug keystore is usually located at: $HOME/.android/debug.keystore.

For more details, refer to Android Debug Signing.

Best practices

If your app’s signing key changes, you’ll need to update the Verifier Application configuration.
Consider removing old thumbprints if you wish to invalidate older app versions — for example, after a key rotation or potential compromise.
For development and testing, you can use the debug signing certificate thumbprint, but ensure to switch to the release signing certificate for production builds.
Always keep your signing keys secure and avoid sharing them publicly.

Android app signing

What is a Package Signing Certificate Thumbprint?

Obtaining the Thumbprint

Production builds

Google Play App Signing

Manual signing (CLI)

Local builds (Debug)

Best practices

On this page