Skip to content
/ android-cosu-signature-checksum-tool Public

πŸ” A utility to generate valid SIGNATURE_CHECKSUM values for Android COSU provisioning. Converts certificate SHA-256 into proper base64url format accepted by Android provisioning QR.

License

MIT license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

atlashour/android-cosu-signature-checksum-tool

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

9 Commits
.gitignore
.gitignore
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
go.mod
go.mod
Β 
Β 
main.go
main.go
Β 
Β 

Repository files navigation

android-cosu-signature-checksum-tool

πŸ” A utility to generate valid SIGNATURE_CHECKSUM values for Android COSU provisioning. Converts certificate SHA-256 into proper base64url format accepted by Android provisioning QR.

This tool helps generate correct PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM values for Android COSU (Corporate Owned Single Use) provisioning.
It extracts the SHA-256 fingerprint from your APK's signing certificate, encodes it to a URL-safe base64 string without padding β€” the exact format Android expects but never documents.

βœ… Why use SIGNATURE_CHECKSUM?

Using the certificate's SHA-256 as a signature checksum allows Android to verify the APK's origin without hard-locking it to a specific build.
This is the recommended method for provisioning production devices, as it:

  • Supports future updates signed with the same keystore
  • Avoids breaking provisioning due to minor changes in the APK
  • Prevents unnecessary QR regeneration

βš™οΈ Requirements

  • βœ… Your .apk must be signed with a custom keystore (release build)
  • βœ… You need access to the keytool binary

πŸ“¦ Keytool path for Android Studio users (Windows):

Add this to your system PATH environment variable:

C:\Program Files\Android\Android Studio\jbr\bin

Or run it explicitly from that folder if needed.

πŸš€ How to use

go run apk_signature_checksum.go path/to/app-release.apk

Requires Go installed. You can compile it with: go build -o cosu-checksum.exe apk_signature_checksum.go

πŸ“€ Output

You will get a clean, valid checksum like this:

βœ”οΈ Final checksum for PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM:
GQfdGZbRF9hzPKYzJB0y6xgSrplOWAK-W0KL0r4Ud0v

This is safe to use in your provisioning QR JSON like:

{
  "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "GQfdGZbRF9hzPKYzJB0y6xgSrplOWAK-W0KL0r4Ud0v"
}

🧠 What makes this tool special?

Android expects a very specific encoding:

  • SHA-256 of the certificate (not the APK itself)
  • Encoded as base64url (not standard base64)
  • No padding (= must be removed)

Failing to meet this exact format results in silent provisioning failure with the dreaded and vague error:

"Can't set up device. Contact your IT admin for help."

You will get no logs, no stacktrace, and no explanation.

πŸ‘Ύ Contribute

This tool was built to save developers from losing days on undocumented Android behavior.
PRs, issues, or usage reports are welcome!

With love, Atlashour
✨ Special thanks to ChatGPT-4o β€” extremely supportive and accurate.

πŸ” Keywords for searchability (SEO)

- Android COSU provisioning tool
- PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
- Can't set up device Contact your IT admin for help
- Android base64url signature hash
- Silent provisioning failure
- COSU QR code Android 13 / 14 / 15

About

πŸ” A utility to generate valid SIGNATURE_CHECKSUM values for Android COSU provisioning. Converts certificate SHA-256 into proper base64url format accepted by Android provisioning QR.

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

Initial release Latest
Mar 28, 2025

Packages

No packages published

Languages