Keep release signing secrets out of APK build logs
This commit is contained in:
@@ -34,6 +34,7 @@ Environment:
|
|||||||
- `APK_VERSION` overrides the packaged app version.
|
- `APK_VERSION` overrides the packaged app version.
|
||||||
- `ANDROID_MIN_SDK` overrides the minimum supported Android SDK.
|
- `ANDROID_MIN_SDK` overrides the minimum supported Android SDK.
|
||||||
- `ANDROID_TARGET_SDK` overrides the target Android SDK.
|
- `ANDROID_TARGET_SDK` overrides the target Android SDK.
|
||||||
|
- `SIGNPASS_FILE` provides the signing password by file instead of a command-line argument.
|
||||||
- `RELEASE_SIGNKEY` overrides the release keystore path used by `make apk-release`.
|
- `RELEASE_SIGNKEY` overrides the release keystore path used by `make apk-release`.
|
||||||
- `RELEASE_SIGNPASS_FILE` overrides the password file path used by `make apk-release`.
|
- `RELEASE_SIGNPASS_FILE` overrides the password file path used by `make apk-release`.
|
||||||
|
|
||||||
@@ -57,7 +58,8 @@ go tool gogio -target android ./cmd/keepassgo ...
|
|||||||
```
|
```
|
||||||
|
|
||||||
The release target wraps `make apk` and injects explicit signing credentials so
|
The release target wraps `make apk` and injects explicit signing credentials so
|
||||||
local release builds and CI use the same stable key.
|
local release builds and CI use the same stable key without echoing the release
|
||||||
|
password in build logs.
|
||||||
|
|
||||||
The Android build uses the branded icon asset at:
|
The Android build uses the branded icon asset at:
|
||||||
|
|
||||||
|
|||||||
@@ -12,6 +12,7 @@ ANDROID_MIN_SDK ?= 28
|
|||||||
ANDROID_TARGET_SDK ?= 35
|
ANDROID_TARGET_SDK ?= 35
|
||||||
SIGNKEY ?=
|
SIGNKEY ?=
|
||||||
SIGNPASS ?=
|
SIGNPASS ?=
|
||||||
|
SIGNPASS_FILE ?=
|
||||||
RELEASE_SIGNKEY ?= $(HOME)/.config/keepassgo/android-release.keystore
|
RELEASE_SIGNKEY ?= $(HOME)/.config/keepassgo/android-release.keystore
|
||||||
RELEASE_SIGNPASS_FILE ?= $(HOME)/.config/keepassgo/android-release.pass
|
RELEASE_SIGNPASS_FILE ?= $(HOME)/.config/keepassgo/android-release.pass
|
||||||
ARCH_PKG_DIR ?= packaging/archlinux/keepassgo-git
|
ARCH_PKG_DIR ?= packaging/archlinux/keepassgo-git
|
||||||
@@ -29,6 +30,7 @@ GOGIO_SIGN_FLAGS += -signpass $(SIGNPASS)
|
|||||||
endif
|
endif
|
||||||
|
|
||||||
CONTAINER_SIGNKEY_MOUNT :=
|
CONTAINER_SIGNKEY_MOUNT :=
|
||||||
|
CONTAINER_SIGNPASSFILE_MOUNT :=
|
||||||
CONTAINER_SIGN_ARGS :=
|
CONTAINER_SIGN_ARGS :=
|
||||||
ifneq ($(strip $(SIGNKEY)),)
|
ifneq ($(strip $(SIGNKEY)),)
|
||||||
CONTAINER_SIGNKEY_MOUNT += -v "$(dir $(abspath $(SIGNKEY))):$(dir $(abspath $(SIGNKEY))):ro"
|
CONTAINER_SIGNKEY_MOUNT += -v "$(dir $(abspath $(SIGNKEY))):$(dir $(abspath $(SIGNKEY))):ro"
|
||||||
@@ -37,6 +39,10 @@ endif
|
|||||||
ifneq ($(strip $(SIGNPASS)),)
|
ifneq ($(strip $(SIGNPASS)),)
|
||||||
CONTAINER_SIGN_ARGS += SIGNPASS="$(SIGNPASS)"
|
CONTAINER_SIGN_ARGS += SIGNPASS="$(SIGNPASS)"
|
||||||
endif
|
endif
|
||||||
|
ifneq ($(strip $(SIGNPASS_FILE)),)
|
||||||
|
CONTAINER_SIGNPASSFILE_MOUNT += -v "$(dir $(abspath $(SIGNPASS_FILE))):$(dir $(abspath $(SIGNPASS_FILE))):ro"
|
||||||
|
CONTAINER_SIGN_ARGS += SIGNPASS_FILE="$(abspath $(SIGNPASS_FILE))"
|
||||||
|
endif
|
||||||
|
|
||||||
.PHONY: apk apk-local apk-release apk-container apk-container-image archlinux-pkgbuild browser-bridge browser-extension-validate
|
.PHONY: apk apk-local apk-release apk-container apk-container-image archlinux-pkgbuild browser-bridge browser-extension-validate
|
||||||
apk:
|
apk:
|
||||||
@@ -55,6 +61,12 @@ apk-local: android/keepassgo-android.jar
|
|||||||
@test -d "$(ANDROID_SDK_ROOT)/platforms/android-$(ANDROID_TARGET_SDK)" || { echo "Android platform android-$(ANDROID_TARGET_SDK) is missing"; exit 1; }
|
@test -d "$(ANDROID_SDK_ROOT)/platforms/android-$(ANDROID_TARGET_SDK)" || { echo "Android platform android-$(ANDROID_TARGET_SDK) is missing"; exit 1; }
|
||||||
@test -d "$(ANDROID_SDK_ROOT)/build-tools" || { echo "Android build-tools are missing"; exit 1; }
|
@test -d "$(ANDROID_SDK_ROOT)/build-tools" || { echo "Android build-tools are missing"; exit 1; }
|
||||||
@mkdir -p "$(dir $(APK_OUT))"
|
@mkdir -p "$(dir $(APK_OUT))"
|
||||||
|
@set -eu; \
|
||||||
|
if [ -n "$(SIGNPASS_FILE)" ]; then \
|
||||||
|
test -f "$(SIGNPASS_FILE)" || { echo "SIGNPASS_FILE does not exist: $(SIGNPASS_FILE)"; exit 1; }; \
|
||||||
|
export GOGIO_SIGNPASS="$$(tr -d '\r\n' < "$(SIGNPASS_FILE)")"; \
|
||||||
|
test -n "$$GOGIO_SIGNPASS" || { echo "SIGNPASS_FILE is empty: $(SIGNPASS_FILE)"; exit 1; }; \
|
||||||
|
fi; \
|
||||||
ANDROID_HOME="$(ANDROID_SDK_ROOT)" \
|
ANDROID_HOME="$(ANDROID_SDK_ROOT)" \
|
||||||
ANDROID_SDK_ROOT="$(ANDROID_SDK_ROOT)" \
|
ANDROID_SDK_ROOT="$(ANDROID_SDK_ROOT)" \
|
||||||
ANDROID_NDK_ROOT="$(ANDROID_NDK_ROOT)" \
|
ANDROID_NDK_ROOT="$(ANDROID_NDK_ROOT)" \
|
||||||
@@ -74,9 +86,7 @@ apk-local: android/keepassgo-android.jar
|
|||||||
apk-release:
|
apk-release:
|
||||||
@test -f "$(RELEASE_SIGNKEY)" || { echo "Release signing key not found at $(RELEASE_SIGNKEY)"; exit 1; }
|
@test -f "$(RELEASE_SIGNKEY)" || { echo "Release signing key not found at $(RELEASE_SIGNKEY)"; exit 1; }
|
||||||
@test -f "$(RELEASE_SIGNPASS_FILE)" || { echo "Release signing password file not found at $(RELEASE_SIGNPASS_FILE)"; exit 1; }
|
@test -f "$(RELEASE_SIGNPASS_FILE)" || { echo "Release signing password file not found at $(RELEASE_SIGNPASS_FILE)"; exit 1; }
|
||||||
@signpass="$$(tr -d '\r\n' < "$(RELEASE_SIGNPASS_FILE)")"; \
|
@$(MAKE) apk SIGNKEY="$(abspath $(RELEASE_SIGNKEY))" SIGNPASS_FILE="$(abspath $(RELEASE_SIGNPASS_FILE))"
|
||||||
test -n "$$signpass" || { echo "Release signing password file is empty"; exit 1; }; \
|
|
||||||
$(MAKE) apk SIGNKEY="$(abspath $(RELEASE_SIGNKEY))" SIGNPASS="$$signpass"
|
|
||||||
|
|
||||||
apk-container: apk-container-image
|
apk-container: apk-container-image
|
||||||
@command -v docker >/dev/null 2>&1 || { echo "docker is required for apk-container"; exit 1; }
|
@command -v docker >/dev/null 2>&1 || { echo "docker is required for apk-container"; exit 1; }
|
||||||
@@ -89,6 +99,7 @@ apk-container: apk-container-image
|
|||||||
-v "$(ANDROID_SDK_ROOT):$(ANDROID_SDK_ROOT)" \
|
-v "$(ANDROID_SDK_ROOT):$(ANDROID_SDK_ROOT)" \
|
||||||
-v "$(ANDROID_NDK_ROOT):$(ANDROID_NDK_ROOT)" \
|
-v "$(ANDROID_NDK_ROOT):$(ANDROID_NDK_ROOT)" \
|
||||||
$(CONTAINER_SIGNKEY_MOUNT) \
|
$(CONTAINER_SIGNKEY_MOUNT) \
|
||||||
|
$(CONTAINER_SIGNPASSFILE_MOUNT) \
|
||||||
-e ANDROID_SDK_ROOT="$(ANDROID_SDK_ROOT)" \
|
-e ANDROID_SDK_ROOT="$(ANDROID_SDK_ROOT)" \
|
||||||
-e ANDROID_NDK_ROOT="$(ANDROID_NDK_ROOT)" \
|
-e ANDROID_NDK_ROOT="$(ANDROID_NDK_ROOT)" \
|
||||||
-e JAVA_HOME=/opt/java/openjdk \
|
-e JAVA_HOME=/opt/java/openjdk \
|
||||||
|
|||||||
Reference in New Issue
Block a user