Signing Android APK’s with CircleCI – V2

My previous post shared instructions on how to sign APK’s on CircleCI using Dropbox to securely store your private key.

Since then I’ve found a simpler and more secure way to store everything in CircleCI secure environment variables using base64 encoding.

Step 1: Base64 encode your private key

From the console enter:

cat path/to/yourprivatekey.jks | base64

This will print block of base64 encoded text to your screen.  Copy it.

Step 2: Add your environment vars to CircleCI

Now go to your project config on CircleCI and add a new project-level environment variable in CircleCI called ENCODED_KEYSTORE and paste the encoded key you copied in step 1 as it’s value.

Step 3: Make config.yml decode the keystore into a file

Right before your gradle dependencies step in your CircleCI config.yml add the following:

- run: echo $ENCODED_KEYSTORE | base64 --decode >> ${HOME}/repo/keystore.jks
- run: echo 'export KEYSTORE=${HOME}/repo/keystore.jks' >> $BASH_ENV

What this does is decode the base64 encoded text back into the keystore.jks file and then
sets the KEYSTORE environment variable to it’s location.

From here, it’s just a matter of following the standard steps for signing a release.  This typically involes adding a release signingConfig configured to retrieve it’s settings from environment variables along with a release buildType to apply the signingConfig:

android {
    signingConfigs {

        release {
            storeFile file(System.getenv("KEYSTORE") ?: "keystore.jks")
            storePassword System.getenv("KEYSTORE_PASSWORD")
            keyAlias System.getenv("KEY_ALIAS")
            keyPassword System.getenv("KEY_PASSWORD")
        }
    }

    buildTypes {
        release {
            minifyEnabled false
            zipAlignEnabled true
            signingConfig signingConfigs.release
        }
    }
}