Android Sign APK without exposing keystore password


Example

You can define the signing configuration to sign the apk in the build.gradle file using these properties:

  • storeFile : the keystore file
  • storePassword: the keystore password
  • keyAlias: a key alias name
  • keyPassword: A key alias password

In many case you may need to avoid this kind of info in the build.gradle file.

Method A: Configure release signing using a keystore.properties file

It's possible to configure your app's build.gradle so that it will read your signing configuration information from a properties file like keystore.properties.

Setting up signing like this is beneficial because:

  • Your signing configuration information is separate from your build.gradle file
  • You do not have to intervene during the signing process in order to provide passwords for your keystore file
  • You can easily exclude the keystore.properties file from version control

First, create a file called keystore.properties in the root of your project with content like this (replacing the values with your own):

storeFile=keystore.jks
storePassword=storePassword
keyAlias=keyAlias
keyPassword=keyPassword

Now, in your app's build.gradle file, set up the signingConfigs block as follows:

android {
...

    signingConfigs {
        release {
            def propsFile = rootProject.file('keystore.properties')
            if (propsFile.exists()) {
                def props = new Properties()
                props.load(new FileInputStream(propsFile))
                storeFile = file(props['storeFile'])
                storePassword = props['storePassword']
                keyAlias = props['keyAlias']
                keyPassword = props['keyPassword']
            }
        }
    }
}

That's really all there is to it, but don't forget to exclude both your keystore file and your keystore.properties file from version control.

A couple of things to note:

  • The storeFile path specified in the keystore.properties file should be relative to your app's build.gradle file. This example assumes that the keystore file is in the same directory as the app's build.gradle file.
  • This example has the keystore.properties file in the root of the project. If you put it somewhere else, be sure to change the value in rootProject.file('keystore.properties') to the location of yours, relative to the root of your project.

Method B: By using an environment variable

The same can be achieved also without a properties file, making the password harder to find:

android {

  signingConfigs {
    release {
        storeFile file('/your/keystore/location/key')
        keyAlias 'your_alias'
        String ps = System.getenv("ps")
        if (ps == null) {
             throw new GradleException('missing ps env variable')
        }
        keyPassword ps
        storePassword ps
    }
}

The "ps" environment variable can be global, but a safer approach can be by adding it to the shell of Android Studio only.
In linux this can be done by editing Android Studio's Desktop Entry

Exec=sh -c "export ps=myPassword123 ; /path/to/studio.sh"

You can find more details in this topic.