androidsha256chrome-custom-tabstrusted-web-activitydigital-assets-links

Should we keep our SHA-256 public?


When generating a Digital Asset Link we are supposed to asset links file contaning SHA-256 of our android app and post it to https://www.your-host.com/.well-known/assetlinks.json as stated here. So is it safe to post our SHA-256 publicly?

Just read through the documentation


Solution

  • Yes, it is safe to post the SHA-256 publicly. In fact, the SHA-256 fingerprint can be extracted from any signed APK with the following with keytool -printcert -jarfile [path to APK or AAB] | grep SHA256. Once installed, any other Android app can also read your SHA-256 key. Peter's AsseLinks Tool takes advantage of that to help people find what their SHA-256 key is.