（假设您可以访问原始的apk文件 - 如果您知道或对其名称和位置进行有根据的猜测，即使您无法在无根的手机上列出/ data的内容，您通常也可以这样做）

(assuming you can obtain access to the raw apk file - which you usually can, if you know or make an educated guess of its name and location, even though you can't list the contents of /data on a non-rooted phone)

您可以以zip文件形式打开apk并从META-INF / CERT.RSA的二进制内容中过滤ascii文本

You could open the apk as a zip file and filter the ascii text from the binary content of META-INF/CERT.RSA

或使用实际工具，

jarsigner -verify -certs -verbose some_application.apk

当然，验证签名人是他们声称的人的唯一方法是通过直接或经过验证的方式使用相同的密钥签署其他密钥，然后比较签署密钥指纹 - 这是Android本身验证应用程序升级和应用程序ID共享来自与他们目标现有的APK的同一方。

Of course the only way to verify that the signer is who they claim to be is to get something else signed with the same key from that party via direct or verified means and compare the signing key fingerprints - that is how Android itself verifies that app upgrades and app ID sharing come from the same party as the existing APK they target.