问题
Dear stackoverflow community, once more I turn to you :)
I've recently come across the wonder of Gitlab and their very nice bundled CI/CD solution. It works gallantly however, we all need to sign our binaries don't we and I've found no way to upload a key as I would to a Jenkins server for doing this.
So, how can I, without checking in my keys and secrets sign my android (actually flutter) application when building a release?
From what I see, most people define the build job with signing settings referring to a non-committed key.properties file specifying a local keystore.jks. This works fine when building APKs locally but if I would like to build and archive them as a part of the CI/CD job, how do I?
For secret keys, for example the passwords to the keystore itself, I've found that I can simply store them as protected variables but the actual keystore file itself. What can I do about that?
Any ideas, suggestions are dearly welcome. Cheers
回答1:
Usually I store keystore file (as base64 string), alias and passwords to Gitlab's secrets variables.
In the .gitlab-ci.yml do something like:
create_property_files:
stage: prepare
only:
- master
script:
- echo $KEYSTORE | base64 -d > my.keystore
- echo "keystorePath=my.keystore" > signing.properties
- echo "keystorePassword=$KEYSTORE_PASSWORD" >> signing.properties
- echo "keyAlias=$ALIAS" >> signing.properties
- echo "keyPassword=$KEY_PASSWORD" >> signing.properties
artifacts:
paths:
- my.keystore
- signing.properties
expire_in: 10 mins
And, finally, in your build gradle:
signingConfigs {
release {
file("../signing.properties").with { propFile ->
if (propFile.canRead()) {
def properties = new Properties()
properties.load(new FileInputStream(propFile))
storeFile file(properties['keystorePath'])
storePassword properties['keystorePassword']
keyAlias properties['keyAlias']
keyPassword properties['keyPassword']
} else {
println 'Unable to read signing.properties'
}
}
}
}
回答2:
I've used git-secret in the past to check-in password protected secret files. Then pass the password via a secret/protected environmental variable (as you already know) and modify the .gitlab-ci.yml to use the password to open the files and use them.
来源:https://stackoverflow.com/questions/51725339/how-to-manage-signing-keystore-in-gitlab-ci-for-android