Currently, I sign the app in the following manner where keys are read from env in CI.
signingConfigs {
release {
storeFile file(System.getenv("ANDROID_KEYSTORE_PATH"))
storePassword System.getenv("KEYSTORE_PASSWORD")
keyAlias System.getenv("KEY_ALIAS")
keyPassword System.getenv("KEY_PASSWORD")
}
}
buildTypes {
release {
signingConfig signingConfigs.release
manifestPlaceholders = [excludeSystemAlertWindowPermission: "true"]
}
}
But this method will make the passwords available if someone decompiles the apk.
Is there a way by which keys are only used during the signing and then stripped from code and then uploaded to Play store?
Or if someone can point me to more secure ways of signing apk's?
This details doesn't get bundled in a apk file, so even if someone de-compiles your apk he wont get to see this.
You can alternatively use android studio to create a signed apk. Check this link to see how it is done