Skip to content

Instantly share code, notes, and snippets.

@67Samuel

67Samuel/protecting-secrets-in-gradle.md

Last active September 21, 2022 05:39
Show Gist options
  • Save 67Samuel/13bae9ede73c4066f967d2782e74398a to your computer and use it in GitHub Desktop.
Save 67Samuel/13bae9ede73c4066f967d2782e74398a to your computer and use it in GitHub Desktop.
Download ZIP
Protecting secrets in .gradle files
Raw
protecting-secrets-in-gradle.md

In order to protect secrets related to signing in build.gradle, I did the following:

This is just a more step-by-step/expanded version of this gist and this commit. You should be able to do similar things for any other secrets!

Step 1

Make a .properties file (in this case I called it signing.properties) where the secrets will be stored.

RELEASE_STORE_PASSWORD=acbd123
RELEASE_KEY_PASSWORD=qwerty7890
RELEASE_KEY_ALIAS=key0
RELEASE_STORE_FILE=D\:\\AndroidStudio\\Projects\\ReleaseKeystore.jks

DEBUG_STORE_PASSWORD=123abcd
DEBUG_KEY_PASSWORD=7890qwerty
DEBUG_KEY_ALIAS=key0
DEBUG_STORE_FILE=D\:\\AndroidStudio\\Projects\\DebugKeystore.jks

Step 2

Add the .properties file to .gitignore (found in the Android Studio Projects view)

Step 3

Make the following changes to the module level build.gradle

android {
    signingConfigs {
        debug
        release
    }
    
    ...
    
    buildTypes {
        debug {
            ...
            signingConfig signingConfigs.debug
        }

        release {
            ...
            signingConfig signingConfigs.release
        }
    }
    
    ...
    
}

// handle adding protected signing for builds
def Properties props = new Properties()
def propFile = new File('signing.properties')
if (propFile.canRead()) {
    props.load(new FileInputStream(propFile))

    if (props!=null && props.containsKey('RELEASE_STORE_FILE') && props.containsKey('RELEASE_STORE_PASSWORD') &&
            props.containsKey('RELEASE_KEY_ALIAS') && props.containsKey('RELEASE_KEY_PASSWORD')) {
        android.signingConfigs.release.storeFile = file(props['RELEASE_STORE_FILE'])
        android.signingConfigs.release.storePassword = props['RELEASE_STORE_PASSWORD']
        android.signingConfigs.release.keyAlias = props['RELEASE_KEY_ALIAS']
        android.signingConfigs.release.keyPassword = props['RELEASE_KEY_PASSWORD']
    } else {
        println 'signing.properties found but some entries are missing for release build'
        android.buildTypes.release.signingConfig = null
    }

    if (props!=null && props.containsKey('DEBUG_STORE_FILE') && props.containsKey('DEBUG_STORE_PASSWORD') &&
            props.containsKey('DEBUG_KEY_ALIAS') && props.containsKey('DEBUG_KEY_PASSWORD')) {
        android.signingConfigs.release.storeFile = file(props['DEBUG_STORE_FILE'])
        android.signingConfigs.release.storePassword = props['DEBUG_STORE_PASSWORD']
        android.signingConfigs.release.keyAlias = props['DEBUG_KEY_ALIAS']
        android.signingConfigs.release.keyPassword = props['DEBUG_KEY_PASSWORD']
    } else {
        println 'signing.properties found but some entries are missing for debug build'
        android.buildTypes.debug.signingConfig = null
    }
} else {
    println 'signing.properties not found'
    android.buildTypes.release.signingConfig = null
    android.buildTypes.debug.signingConfig = null
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment