Android - How can I tell that an apk has been signed with my key

Question

We have a third party app that has been created for us, but that we will maintain going forward.

They have built the apk and signed it with their own key, but in order for us to upload it and to use our key I have had to resign it.

For this I used https://code.google.com/p/apk-resigner/

Now I'm trying to compare their apk with my resigned one, but am not 100% sure what to do.

I've tried doing

jarsigner -verify -keystore my_keystore_location -verbose -certs my.apk

and i've received lots of files with smk on them. This would make sense following the key

s = signature was verified 
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope

but then when I run the third party apk that still has their key, I also get smk on the files, which shouldn't happen as that would say it has been signed with a key in my keystore!?

Any ideas anyone?

Thanks

Answer 1

I'm not exactly sure if this works but I spotted it in package manager : http://developer.android.com/reference/android/content/pm/PackageManager.html#checkSignatures(java.lang.String, java.lang.String)

Its supposed to be able to take your first package(your own)'s signature and compare it with your third party app's signature. This is ran on the android app and not on your development platform(Windows, Mac, Linux etc).

Looking at the documentation, if 0 is returned, the signature matches. If 1 is returned, neither are signed. -3 for no match. -2 for not second package not signed and -1 for first package not signed. -4 if either packages are invalid.

This code is working for me :

final PackageManager pm = getPackageManager();
System.out.println(pm.checkSignatures("com.testing1", "com.testing2"));