I would like to use the signature checksum instead of the package checksum when provisioning a device with a device owner app. The app will be downloaded from an http server.

This post is great when using EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM: Checksum Error while provisioning Android Lollipop

But I would like to use EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM. See: https://developer.android.com/reference/android/app/admin/DevicePolicyManager.htm

The provisioning app and device owner app will both on be running on Android O.

How do I get the signature checksum of my app that I can use in my key/value pair for NFC?

Try this

keytool -list -printcert -jarfile [path_to_your_apk] | grep -Po "(?<=SHA256:) .*" | xxd -r -p | openssl base64 | tr -d '=' | tr -- '+/=' '-_'

In details:

• keytool -list -printcert -jarfile [path_to_your_apk] extracts informations about the certificate of the APK,
• grep -Po "(?<=SHA256:) .*" | xxd -r -p takes the SHA256 hash and converts it to binary,
• openssl base64 encodes it with base64,
• tr -d '=' | tr -- '+/=' '-_' makes it URL-safe (+ is encoded as -, / is encoded as _ and the padding character = is removed).