From fea1a75cdf3de685e0ebdf8136e53bd184c406db Mon Sep 17 00:00:00 2001 From: Joe Julian Date: Sat, 18 Apr 2026 22:16:25 -0700 Subject: [PATCH] Keep release signing secrets out of APK build logs --- APK.md | 4 +++- Makefile | 17 ++++++++++++++--- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/APK.md b/APK.md index 5899548..af93d30 100644 --- a/APK.md +++ b/APK.md @@ -34,6 +34,7 @@ Environment: - `APK_VERSION` overrides the packaged app version. - `ANDROID_MIN_SDK` overrides the minimum supported Android SDK. - `ANDROID_TARGET_SDK` overrides the target Android SDK. +- `SIGNPASS_FILE` provides the signing password by file instead of a command-line argument. - `RELEASE_SIGNKEY` overrides the release keystore path used by `make apk-release`. - `RELEASE_SIGNPASS_FILE` overrides the password file path used by `make apk-release`. @@ -57,7 +58,8 @@ go tool gogio -target android ./cmd/keepassgo ... ``` The release target wraps `make apk` and injects explicit signing credentials so -local release builds and CI use the same stable key. +local release builds and CI use the same stable key without echoing the release +password in build logs. The Android build uses the branded icon asset at: diff --git a/Makefile b/Makefile index 8f549d2..eba6520 100644 --- a/Makefile +++ b/Makefile @@ -12,6 +12,7 @@ ANDROID_MIN_SDK ?= 28 ANDROID_TARGET_SDK ?= 35 SIGNKEY ?= SIGNPASS ?= +SIGNPASS_FILE ?= RELEASE_SIGNKEY ?= $(HOME)/.config/keepassgo/android-release.keystore RELEASE_SIGNPASS_FILE ?= $(HOME)/.config/keepassgo/android-release.pass ARCH_PKG_DIR ?= packaging/archlinux/keepassgo-git @@ -29,6 +30,7 @@ GOGIO_SIGN_FLAGS += -signpass $(SIGNPASS) endif CONTAINER_SIGNKEY_MOUNT := +CONTAINER_SIGNPASSFILE_MOUNT := CONTAINER_SIGN_ARGS := ifneq ($(strip $(SIGNKEY)),) CONTAINER_SIGNKEY_MOUNT += -v "$(dir $(abspath $(SIGNKEY))):$(dir $(abspath $(SIGNKEY))):ro" @@ -37,6 +39,10 @@ endif ifneq ($(strip $(SIGNPASS)),) CONTAINER_SIGN_ARGS += SIGNPASS="$(SIGNPASS)" endif +ifneq ($(strip $(SIGNPASS_FILE)),) +CONTAINER_SIGNPASSFILE_MOUNT += -v "$(dir $(abspath $(SIGNPASS_FILE))):$(dir $(abspath $(SIGNPASS_FILE))):ro" +CONTAINER_SIGN_ARGS += SIGNPASS_FILE="$(abspath $(SIGNPASS_FILE))" +endif .PHONY: apk apk-local apk-release apk-container apk-container-image archlinux-pkgbuild browser-bridge browser-extension-validate apk: @@ -55,6 +61,12 @@ apk-local: android/keepassgo-android.jar @test -d "$(ANDROID_SDK_ROOT)/platforms/android-$(ANDROID_TARGET_SDK)" || { echo "Android platform android-$(ANDROID_TARGET_SDK) is missing"; exit 1; } @test -d "$(ANDROID_SDK_ROOT)/build-tools" || { echo "Android build-tools are missing"; exit 1; } @mkdir -p "$(dir $(APK_OUT))" + @set -eu; \ + if [ -n "$(SIGNPASS_FILE)" ]; then \ + test -f "$(SIGNPASS_FILE)" || { echo "SIGNPASS_FILE does not exist: $(SIGNPASS_FILE)"; exit 1; }; \ + export GOGIO_SIGNPASS="$$(tr -d '\r\n' < "$(SIGNPASS_FILE)")"; \ + test -n "$$GOGIO_SIGNPASS" || { echo "SIGNPASS_FILE is empty: $(SIGNPASS_FILE)"; exit 1; }; \ + fi; \ ANDROID_HOME="$(ANDROID_SDK_ROOT)" \ ANDROID_SDK_ROOT="$(ANDROID_SDK_ROOT)" \ ANDROID_NDK_ROOT="$(ANDROID_NDK_ROOT)" \ @@ -74,9 +86,7 @@ apk-local: android/keepassgo-android.jar apk-release: @test -f "$(RELEASE_SIGNKEY)" || { echo "Release signing key not found at $(RELEASE_SIGNKEY)"; exit 1; } @test -f "$(RELEASE_SIGNPASS_FILE)" || { echo "Release signing password file not found at $(RELEASE_SIGNPASS_FILE)"; exit 1; } - @signpass="$$(tr -d '\r\n' < "$(RELEASE_SIGNPASS_FILE)")"; \ - test -n "$$signpass" || { echo "Release signing password file is empty"; exit 1; }; \ - $(MAKE) apk SIGNKEY="$(abspath $(RELEASE_SIGNKEY))" SIGNPASS="$$signpass" + @$(MAKE) apk SIGNKEY="$(abspath $(RELEASE_SIGNKEY))" SIGNPASS_FILE="$(abspath $(RELEASE_SIGNPASS_FILE))" apk-container: apk-container-image @command -v docker >/dev/null 2>&1 || { echo "docker is required for apk-container"; exit 1; } @@ -89,6 +99,7 @@ apk-container: apk-container-image -v "$(ANDROID_SDK_ROOT):$(ANDROID_SDK_ROOT)" \ -v "$(ANDROID_NDK_ROOT):$(ANDROID_NDK_ROOT)" \ $(CONTAINER_SIGNKEY_MOUNT) \ + $(CONTAINER_SIGNPASSFILE_MOUNT) \ -e ANDROID_SDK_ROOT="$(ANDROID_SDK_ROOT)" \ -e ANDROID_NDK_ROOT="$(ANDROID_NDK_ROOT)" \ -e JAVA_HOME=/opt/java/openjdk \