Skip to content
Published May 7, 2018

My previous post shared instructions on how to sign APK’s on CircleCI using Dropbox to securely store your private key.

Since then I’ve found a simpler and more secure way to store everything in CircleCI secure environment variables using base64 encoding.

Step 1: Base64 encode your private key

From the console enter:

cat path/to/yourprivatekey.jks | base64

This will print block of base64 encoded text to your screen.  Copy it.

Step 2: Add your environment vars to CircleCI

Now go to your project config on CircleCI and add a new project-level environment variable in CircleCI called ENCODED_KEYSTORE and paste the encoded key you copied in step 1 as it’s value.

Step 3: Make config.yml decode the keystore into a file

Right before your gradle dependencies step in your CircleCI config.yml add the following:

- run: echo $ENCODED_KEYSTORE | base64 --decode >> ${HOME}/repo/keystore.jks
- run: echo 'export KEYSTORE=${HOME}/repo/keystore.jks' >> $BASH_ENV

What this does is decode the base64 encoded text back into the keystore.jks file and then
sets the KEYSTORE environment variable to it’s location.

From here, it’s just a matter of following the standard steps for signing a release.  This typically involes adding a release signingConfig configured to retrieve it’s settings from environment variables along with a release buildType to apply the signingConfig:

android {
    signingConfigs {

        release {
            storeFile file(System.getenv("KEYSTORE") ?: "keystore.jks")
            storePassword System.getenv("KEYSTORE_PASSWORD")
            keyAlias System.getenv("KEY_ALIAS")
            keyPassword System.getenv("KEY_PASSWORD")

    buildTypes {
        release {
            minifyEnabled false
            zipAlignEnabled true
            signingConfig signingConfigs.release


  1. Nick Popadiuk Nick Popadiuk

    I would say it doesn’t work with CircleCI single-line environment variables and you need to wrap it like

    cat xxx.jks | base64 | sed ‘:a;N;$!ba;s/\n/ /g’


    – run: echo $ENCODED_KEYSTORE | sed ‘s/ /\n/g’ | base64 –decode >> ${HOME}/repo/keystore.jks

Leave a Reply

Your email address will not be published.