Diberdayakan oleh Blogger.

Senin, 09 November 2015

Signing Android apk without putting keystore info in build.gradle

by Joielechong sipayung  |  in Slackware at  Senin, November 09, 2015


When releasing apk via gradle, we have to sign it with our keystore and its password. The easiest way is to include our keystore link and password directly in build.gradle:
 android {  
   ...  
   signingConfigs {  
     release {  
       storeFile file("my.keystore")  
       storePassword "store_password"  
       keyAlias "my_key_alias"  
       keyPassword "key_password"  
     }  
   }  
   buildTypes {  
     release {  
       signingConfig signingConfigs.release        
     }  
   }  
 }  
It's simple but giving us a pretty bad risk. If we working with versioning system like git, we will get a risk of exposing our keystore and password.


Separating keystore and Password From build.gradle

Some articles like Signing Open Source Android Apps Without Disclosing Passwords and Use signing.properties file which controls which keystore to use to sign the APK with gradle give us a way by making a properties file which build.gradle file will refer, then we add it to git ignore list. But what happens when we forget to add the properties file to ignore list? We will disclose our password to the world. The problems still persist.

Instead making properties file in the same directory within our project, we should make it outside. We make it outside by using gradle.properties file.

Here the steps (all code can be download from my gist):

1. Edit or create gradle.properties on your root project and add the following code, remember to edit the path with your own:
 AndroidProject.signing=/your/path/androidproject.properties  

2. Create androidproject.properties in /your/path/ and add the following code to it, don't forget to change /your/path/to/android.keystore to your keystore path:
 STORE_FILE=/your/path/to/android.keystore  
 STORE_PASSWORD=yourstorepassword  
 KEY_ALIAS=yourkeyalias  
 KEY_PASSWORD=yourkeypassword  

3. In your app module build.gradle (not your project root build.gradle) add the following code if not exist or adjust to it:
 signingConfigs {  
     release  
   }  
   buildTypes {  
     debug {  
       debuggable true  
     }  
     release {  
       minifyEnabled true  
       proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'  
       signingConfig signingConfigs.release  
     }  
   }  

4. Add the following code below the code in step 3:
 if (project.hasProperty("AndroidProject.signing")  
     && new File(project.property("AndroidProject.signing").toString()).exists()) {  
     def Properties props = new Properties()  
     def propFile = new File(project.property("AndroidProject.signing").toString())  
     if(propFile.canRead()) {  
      props.load(new FileInputStream(propFile))  
      if (props!=null && props.containsKey('STORE_FILE') && props.containsKey('STORE_PASSWORD') &&  
         props.containsKey('KEY_ALIAS') && props.containsKey('KEY_PASSWORD')) {  
         android.signingConfigs.release.storeFile = file(props['STORE_FILE'])  
         android.signingConfigs.release.storePassword = props['STORE_PASSWORD']  
         android.signingConfigs.release.keyAlias = props['KEY_ALIAS']  
         android.signingConfigs.release.keyPassword = props['KEY_PASSWORD']  
      } else {  
         println 'androidproject.properties found but some entries are missing'  
         android.buildTypes.release.signingConfig = null  
      }  
     } else {  
            println 'androidproject.properties file not found'  
          android.buildTypes.release.signingConfig = null  
     }  
   }  
This code will search for AndroidProject.signing property in gradle.properties from step 1. If the property found, it will translate property value as file path which pointing to androidproject.properties that we create in step 2. Then all the property value from it will be used as signing configuration for our build.gradle.

Now we don't need to worry again of risk of exposing our keystore password.

The above step have been test on Android Studio 1.4.1 in Slackware64 current with these settings in build.gradle:
- 'com.android.tools.build:gradle:1.2.3'
- buildToolsVersion "22.0.1"


Note: 
Article is heavily being influenced with Handling signing configs with Gradle article.

References:
1. Handling signing configs with Gradle
2. Use signing.properties file which controls which keystore to use to sign the APK with gradle.
3. http://stackoverflow.com/questions/20562189/sign-apk-without-putting-keystore-info-in-build-gradle
4. Signing Open Source Android Apps Without Disclosing Passwords
5. Where to put the gradle.properties file
6. Gradle Doc, Configuring the build environment via gradle.properties

0 comments:

Silahkan tinggalkan komentar anda: