Given that we have an APK file, accessible on an Android device on the filesystem, how can we, from another Android app:
keytool -list -printcert -jarfile test.apk
I totally whiffed on this.
PackageManager has a
getPackageArchiveInfo() method, available since API Level 1.
So, you call that, passing in the path to the APK, along with
PackageManager.GET_SIGNATURES. If you get
null back, the APK was tampered with and does not have valid digital signature. If you get a
PackageInfo back, it will have the "signatures", which you can use for comparison purposes.