We are developing android app in team. To create signed release apk you should set key store path, password, key alias and key password. If I want me and any my team member could create signed apk with same signature should I commit key store file to source control?
Keystore file is stored and secured in Google play. Your APKs will be signed by Google Play with app signing key and published to users. Even if you lost your upload key you can contact with Google and you can update your application after validating your account.
So yes, you can use the same keystore to sign multiple apks, without a problem. You can also use the same alias (each alias is a certificate) to sign multiple apks, and it will work.
A keystore is a storage mechanism for security certificates. A public key certificate is used to sign an APK before deployment to services like the Google Play Store.
The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable.
You should not.
Release keystore is the most sensitive data.
In my team, there is only one people can sign the release package. (And may be one for backing up).
All sensitive info MUST be ignored and we make a reference to these info.
In my team, we config like that:
On Android Studio:
/local.properties file:
storeFile=[path/to/keystore/file] keyAlias=[alias's key] keyPassword=[alias's password] storePassword=[key's password] /app/build.gradle, config scope:
signingConfigs {   release {     Properties properties = new Properties()     properties.load(project.rootProject.file('local.properties').newDataInputStream())     storeFile file(properties.getProperty('storeFile'))     keyAlias properties.getProperty('keyAlias')     storePassword properties.getProperty('storePassword')     keyPassword properties.getProperty('keyPassword')   } }  buildTypes {   release {     minifyEnabled false     proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'     signingConfig signingConfigs.release   }   .   .   . } See my complete demo config:
apply plugin: 'com.android.application'  android {     compileSdkVersion 21     buildToolsVersion "22.0.1"      defaultConfig {         multiDexEnabled = true          applicationId "com.appconus.demoapp"         minSdkVersion 16         targetSdkVersion 21         multiDexEnabled = true         versionCode 18         versionName "1.3"     }      signingConfigs {         release {             Properties properties = new Properties()             properties.load(project.rootProject.file('local.properties').newDataInputStream())             storeFile file(properties.getProperty('storeFile'))             keyAlias properties.getProperty('keyAlias')             storePassword properties.getProperty('storePassword')             keyPassword properties.getProperty('keyPassword')         }     }      buildTypes {         release {             minifyEnabled false             proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'             signingConfig signingConfigs.release         }         debug {             minifyEnabled false             proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'         }         applicationVariants.all { variant ->             appendVersionNameVersionCode(variant, defaultConfig)         }     } } dependencies {     compile 'com.google.android.gms:play-services:8.1.0' } Go ahead:
However, there are cons: You introduce some risk of it being brute-forced when you check it in. So you should do a cost-benefit analysis and figure out whether that's worth it to you.
Another consideration is what your organization is using for config management already. If you have a system like Azure DevOps (TFS/VSTS) in place, you should try to leverage that. If you have a secret manager, you should integrate with that.
There are tradeoffs:
+---------------------------+-------------------+------+--------+--------+------------------------+ | Approach | Example | Easy | Simple | Secure | Separation of Concerns | +---------------------------+-------------------+------+--------+--------+------------------------+ | Config management system | Azure DevOps | | | X | X | | Private repo: unencrypted | Cleartext secrets | X | X | | | | Private repo: encrypted | git-secret | | X | X | | | Secret manager | Azure Key Vault | | | X | X | +---------------------------+-------------------+------+--------+--------+------------------------+
Personally, if I were setting this up in a large organization, I'd shop around for a secret manager. For a personal project or small team, I'd just commit the keystore and keep the credentials elsewhere. It depends on the scope, the risks, and what infrastructure is available.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With