In order to revoke a leaked APK, you need to extract the certificate first. This can be done by extracting the file ``META-INF\CERT.RSA``. Open a terminal and run ``keytool -printcert -file CERT.RSA`` to get the SHA-256 fingerprint. The ``keytool`` utility is part of every JDK installation.
Now revoke the certificate by attaching the SHA-256 checksum to ``app/src/main/assets/revoked_certs.txt`` and prepending a comment (starting with ``#``). Finally, push the changes to ``master`` branch to populate the changes.
### Demo keystore
You can verify this works by signing an APK with the demo keystore. The password for both the keystore and the key is ``androidaps``.