How to verify Proton APKs
A hash check is a one-way mathematical operation (checksum) performed on a computer file to create a unique digital fingerprint. If the file is changed in any way (even by a single byte), the fingerprint also changes.
A hash check simply compares the digital fingerprint of the file you have downloaded with the digital fingerprint the file should have (as published by us). If the fingerprints don’t match, then the downloaded file should not be trusted. Please contact our support team immediately.
If the fingerprint matches the fingerprint checksum published on our website then you can have confidence that the file you downloaded is the file we intended for you to download.
Proton publishes SHA256 cryptographic hash checksums for the certificates used to sign our APK files (not the APK files themselves). You can (and should) use these checksums to verify that the file you have downloaded has not been tampered with or corrupted in some way.
What is SHA256?
SHA256 stands for Secure Hash Algorithm(new window) 256-bit. It is one of the cryptographic hash functions in the SHA-2 (Secure Hash Algorithm 2) family designed by the US government. SHA256 is a secure algorithm that is used to create unique digital fingerprints of almost any kind of data, and can be used to hash check files downloaded from the internet.
What is a signing certificate?
Android requires that all APKs are digitally signed with a certificate before they are installed on a device or updated. This ensures both integrity (that the files haven’t been corrupted or tampered with) and authentication (that the file is indeed from us). As long as the signing certificate is genuine, you can be sure the APK is secure.
To verify the signing certificate is secure, you can hash check it against the SHA256 checksums we publish on our APK downloads pages (often in the Frequently asked questions section of the page).
Note that hash checksums shown in this support article are for example purposes only. Please see the download page for the file you wish to check for the correct checksum.
How to hash check an APK’s signing certificate
To hash check the certificates used to sign our APKs:
1. Download(new window) and install Java.
2. Obtain the apksigner tool.
This tool is included when you install the Android Studio(new window) software development kit, or you can download it using the following links:
If you have Android Studio installed, apksigner can be found in your SDK/build-tools folder. To find the location of your SDK folder, open Android Studio and go to Projects → More actions → SDK Manager.
The location of your SDK folder is shown under Android SDK location. Your build-tools folder is in your SDK folder.
If you download just apksigner using the links above, unzip it to any convenient location.
3. Open Windows PowerShell or the Command Prompt on Windows, Terminal on macOS, or a terminal window on Linux and run the following:
[Path to apksigner] verify --print-certs [path to APK file]
For example, on Windows with Android Studio installed:
C:\Users\Dougie\AppData\Local\Android\Sdk\build-tools\34.0.0\apksigner verify --print-certs C:\Users\Dougie\Downloads\ProtonMail-Android.apk
On macOS or Linux with the appsigner tool unzipped to the ~/Downloads/android-14 folder.
~/Downloads/android-14/apksigner verify --print-certs ~/Downloads/ProtonMail-Android.apk
4. Look for the line beginning with Signer #1 certificate SHA-256 digest and compare the checksum with the checksum for the APK published on our website. If the two checksums match, you know the APK file is secure and can be trusted.
Note: Some of our APKs certificates are currently signed using the APK Signature Scheme(new window) v1. The appsigner tool also checks for v2 signatures, so you may see some warnings returned when you run it. As long as the SHA256 hash check matches, these can be safely ignored.