我一直在使用Travis CI来构建我的Android应用程序 。 我使用debug.keystore其推送到公共存储库 ,在调试版本中对其进行签名
但我想构建发布版本并使用此gradle插件将它们上传到Google Play商店。
这个过程需要一个keystore和一个p12证书文件。
虽然我可以将加密的环境变量添加到Travis CI,但我不知道存储这些文件的最佳方式。
问题1:这样做的最佳做法是什么? 有人可以提供一个开源的实现吗? (我找不到一个)
一种可能的实现:将用户名和密码安全地存储为环境变量。 将文件存储在启用SSL的环境中,并使用这些用户名和密码通过简单的HTTP身份验证来保护它们。 在构建过程开始之前,使用它们使用curl进行下载。
问题2这个实现是否有意义? 它安全吗?
额外:这两篇博文是与此相关的重要来源,但不幸的是,他们都没有回答这个问题。
http://stablekernel.com/blog/deploying-google-play-continuous-delivery-android-part-4/ https://www.bignerdranch.com/blog/continuous-delivery-for-android/
I've been using Travis CI to build my Android app. I am signing it in the debug builds with a debug.keystore which I pushed to public repository
But I want to build the release build and upload them to Google Play Store using this gradle plugin.
This process needs a keystore and a p12 certificate file.
While I can add encrypted environment variables to Travis CI, I don't know the best way to store these files.
Question 1: What is the best practice to do this? And can someone provide an open source implementation? (I couldn't find one)
One possible implementation: Store a username and password as a environment variable securely. Store the files in a SSL enabled environment and protect them with these username and password with a simple HTTP authentication. Use them to download using curl before build process begin.
Question 2 Does this implementation make sense at all? Is it secure?
Extra: These 2 blog posts are great sources related to this but none of them answers this question unfortunately.
http://stablekernel.com/blog/deploying-google-play-continuous-delivery-android-part-4/ https://www.bignerdranch.com/blog/continuous-delivery-for-android/
最满意答案
已更新(5/28/15):
我已经开始在这里实施我的解决方案(开源): https : //github.com/NonameDev/MathApp
使用System.getenv("TRAVIS")来检测您的构建在Travis上运行。 storeFile rootProject.file('release.keystore') - 将释放键保存在您自己的存储库中--travis将隐藏密码 storePassword System.getenv("KEYSTORE_PASS") - 在travis上存储环境变量 - travis会隐藏输出 keyAlias System.getenv("ALIAS_NAME") - 在travis keyAlias System.getenv("ALIAS_NAME")存储环境变量会隐藏输出 keyPassword System.getenv("ALIAS_PASS") - 在travis - travis上存储环境变量将隐藏输出 System.getenv("SERVICE_EMAIL") - 在travis - travis上存储环境变量会隐藏输出 rootProject.file('play.p12') - 本地存储证书rootProject.file('play.p12')将存储电子邮件服务帐户顶级build.gradle :
buildscript { repositories { mavenCentral() jcenter() } dependencies { classpath 'com.android.tools.build:gradle:1.2.3' classpath 'com.github.triplet.gradle:play-publisher:1.1.0' } }应用程序build.gradle :
apply plugin: 'com.android.application' apply plugin: 'com.github.triplet.play' android { compileSdkVersion 22 buildToolsVersion '22.0.1' defaultConfig { applicationId 'burrows.apps.mathapp' minSdkVersion 9 targetSdkVersion 22 versionCode 1 versionName '1.0' } compileOptions { sourceCompatibility JavaVersion.VERSION_1_7 targetCompatibility JavaVersion.VERSION_1_7 } signingConfigs { debug { storeFile rootProject.file('debug.keystore') storePassword 'android' keyAlias 'androiddebugkey' keyPassword 'android' } if (System.getenv("TRAVIS")) { release { storeFile rootProject.file('release.keystore') storePassword System.getenv("KEYSTORE_PASS") keyAlias System.getenv("ALIAS_NAME") keyPassword System.getenv("ALIAS_PASS") } } } buildTypes { release { minifyEnabled false proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro' } } lintOptions { abortOnError false } } if (System.getenv("TRAVIS")) { play { serviceAccountEmail = System.getenv("SERVICE_EMAIL") pk12File = rootProject.file('play.p12') track = 'production' // or 'alpha' or 'beta' or 'production' } }原始答案:
你见过这个答案吗? 他在链接到他的TravisCI构建“之前”和“之后”修正他的构建。
这是他的回答:
比较构建#162和#163 。
基本上他必须运行sudo pip install google-api-python-client
据说,我在这里检查了github回购。
这是他的.travis.yml :
language: android android: components: - build-tools-21.1.2 - extra-android-m2repository env: global: - secure: <removed> - secure: <removed> before_install: - ci/decrypt_files - ci/start_emulator install: - ./gradlew build before_script: - ci/wait_for_emulator script: - ./gradlew connectedAndroidTestMockDebug after_success: - ci/deploy_all notifications: email: - <removed>来源: https : //github.com/mg6maciej/VielenGamesAndroidClient/blob/develop/.travis.yml
构建之前:
这是使用密钥并使用TravisCI密码(安全存储在TravisCI上)的过程的secure部分。
before_install: - ci/decrypt_files - ci/start_emulatorci/decrypt_files来源:
#!/bin/bash openssl aes-256-cbc -d -k "$file_password" -in app/gradle.properties.enc -out app/gradle.properties openssl aes-256-cbc -d -k "$file_password" -in app/crashlytics.properties.enc -out app/crashlytics.properties openssl aes-256-cbc -d -k "$file_password" -in ci/vielengames.keystore.enc -out ci/vielengames.keystore openssl aes-256-cbc -d -k "$file_password" -in ci/key.p12.enc -out key.p12来源: https : //github.com/mg6maciej/VielenGamesAndroidClient/blob/develop/ci/decrypt_files
生成后:
这是python和其他Google库下载并用于将应用程序部署到Google Play 。
after_success: - ci/deploy_allci/deploy_all来源:
#!/bin/bash test "$TRAVIS_BRANCH" == "master" && ci/deploy_google_play ci/deploy_testfairy ci/deploy_crashlytics_betaci/deploy_google_play来源:
#!/bin/bash DIR=$(dirname $0) sudo apt-get install python-openssl sudo pip install google-api-python-client python $DIR/basic_upload_apks.py com.vielengames $DIR/../app/build/outputs/apk/app-production-release.apk python $DIR/basic_upload_apks.py com.vielengames.staging $DIR/../app/build/outputs/apk/app-staging-release.apk安全:
你的问题1:
我相信您必须同时拥有应用程序的keystore和p12 ,但您可以安全地将密码存储在TravisCI中(请参阅"$file_password" ),就像上面的示例一样。
你的问题2:
即使您拥有keystore和p12证书,您仍然需要密码(请参阅"$file_password" )以使其可以工作并用于发布到商店。
为了提高安全性,您希望添加比主登录权限更少的其他登录名。 这里是回购的作者在这里所做的:
... TRACK = 'beta' # Can be 'alpha', beta', 'production' or 'rollout' SERVICE_ACCOUNT_EMAIL = ( '148768954062-sp89pjb1blr7cu2f73f4fpd6dqloc047@developer.gserviceaccount.com') # Declare command-line flags. argparser = argparse.ArgumentParser(add_help=False) argparser.add_argument('package_name', help='The package name. Example: com.android.sample') argparser.add_argument('apk_file', nargs='?', default='test.apk', help='The path to the APK file to upload.') ...来源: https : //github.com/mg6maciej/VielenGamesAndroidClient/blob/develop/ci/basic_upload_apks.py
Updated (5/28/15):
I have started to implement my solution here(open source): https://github.com/NonameDev/MathApp
Use System.getenv("TRAVIS") to detect your build is running on Travis. storeFile rootProject.file('release.keystore') - keep release key in your own repository - travis will hide the password storePassword System.getenv("KEYSTORE_PASS") - store environment variable on travis - travis will hide output keyAlias System.getenv("ALIAS_NAME") - store environment variable on travis - travis will hide output keyPassword System.getenv("ALIAS_PASS") - store environment variable on travis - travis will hide output System.getenv("SERVICE_EMAIL") - store environment variable on travis - travis will hide output rootProject.file('play.p12') - store cert locally - travis will store the email service accountTop build.gradle:
buildscript { repositories { mavenCentral() jcenter() } dependencies { classpath 'com.android.tools.build:gradle:1.2.3' classpath 'com.github.triplet.gradle:play-publisher:1.1.0' } }App build.gradle:
apply plugin: 'com.android.application' apply plugin: 'com.github.triplet.play' android { compileSdkVersion 22 buildToolsVersion '22.0.1' defaultConfig { applicationId 'burrows.apps.mathapp' minSdkVersion 9 targetSdkVersion 22 versionCode 1 versionName '1.0' } compileOptions { sourceCompatibility JavaVersion.VERSION_1_7 targetCompatibility JavaVersion.VERSION_1_7 } signingConfigs { debug { storeFile rootProject.file('debug.keystore') storePassword 'android' keyAlias 'androiddebugkey' keyPassword 'android' } if (System.getenv("TRAVIS")) { release { storeFile rootProject.file('release.keystore') storePassword System.getenv("KEYSTORE_PASS") keyAlias System.getenv("ALIAS_NAME") keyPassword System.getenv("ALIAS_PASS") } } } buildTypes { release { minifyEnabled false proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro' } } lintOptions { abortOnError false } } if (System.getenv("TRAVIS")) { play { serviceAccountEmail = System.getenv("SERVICE_EMAIL") pk12File = rootProject.file('play.p12') track = 'production' // or 'alpha' or 'beta' or 'production' } }Original Answer:
Have you seen this answer? He posts a link to his TravisCI builds "before" and "after" correcting his build.
Here is his answer:
Compare build #162 and #163.
Basically he had to run sudo pip install google-api-python-client
With that being said, I checked out the github repo here.
Here is the his .travis.yml:
language: android android: components: - build-tools-21.1.2 - extra-android-m2repository env: global: - secure: <removed> - secure: <removed> before_install: - ci/decrypt_files - ci/start_emulator install: - ./gradlew build before_script: - ci/wait_for_emulator script: - ./gradlew connectedAndroidTestMockDebug after_success: - ci/deploy_all notifications: email: - <removed>Source: https://github.com/mg6maciej/VielenGamesAndroidClient/blob/develop/.travis.yml
Before build:
This is the secure part of the process where the keys are used and the password is used from TravisCI(securely stored on TravisCI).
before_install: - ci/decrypt_files - ci/start_emulatorSource of ci/decrypt_files:
#!/bin/bash openssl aes-256-cbc -d -k "$file_password" -in app/gradle.properties.enc -out app/gradle.properties openssl aes-256-cbc -d -k "$file_password" -in app/crashlytics.properties.enc -out app/crashlytics.properties openssl aes-256-cbc -d -k "$file_password" -in ci/vielengames.keystore.enc -out ci/vielengames.keystore openssl aes-256-cbc -d -k "$file_password" -in ci/key.p12.enc -out key.p12Source: https://github.com/mg6maciej/VielenGamesAndroidClient/blob/develop/ci/decrypt_files
After Build:
This is where python and other Google libs are being downloaded and used to deploy the app to Google Play.
after_success: - ci/deploy_allSource of ci/deploy_all:
#!/bin/bash test "$TRAVIS_BRANCH" == "master" && ci/deploy_google_play ci/deploy_testfairy ci/deploy_crashlytics_betaSource of ci/deploy_google_play:
#!/bin/bash DIR=$(dirname $0) sudo apt-get install python-openssl sudo pip install google-api-python-client python $DIR/basic_upload_apks.py com.vielengames $DIR/../app/build/outputs/apk/app-production-release.apk python $DIR/basic_upload_apks.py com.vielengames.staging $DIR/../app/build/outputs/apk/app-staging-release.apkSecurity:
Your Question 1:
I believe you have to have have both the keystore and p12 for the app, but you can safely store your password with TravisCI(see the "$file_password"), just like the example above.
Your Question 2:
Even if you have the keystore and p12 cert, you still need the password(see the "$file_password") for both to work and be used to publish to the store.
For extra security, you want to add another login with less permissions than you main login. Here is what the author of the repo did here:
... TRACK = 'beta' # Can be 'alpha', beta', 'production' or 'rollout' SERVICE_ACCOUNT_EMAIL = ( '148768954062-sp89pjb1blr7cu2f73f4fpd6dqloc047@developer.gserviceaccount.com') # Declare command-line flags. argparser = argparse.ArgumentParser(add_help=False) argparser.add_argument('package_name', help='The package name. Example: com.android.sample') argparser.add_argument('apk_file', nargs='?', default='test.apk', help='The path to the APK file to upload.') ...Source: https://github.com/mg6maciej/VielenGamesAndroidClient/blob/develop/ci/basic_upload_apks.py
更多推荐
发布评论