Upgrade to Pro — share decks privately, control downloads, hide ads and more …

アプリに署名する 〜GitHub ActionsでのCIも見据えて〜

アプリに署名する 〜GitHub ActionsでのCIも見据えて〜

2023/4/29に開催されたDroidKaigi.collect { #2@Fukuoka }で登壇した「アプリに署名する 〜GitHub ActionsでのCIも見据えて〜」の資料です

Yoshihiro WADA

April 29, 2023
Tweet

More Decks by Yoshihiro WADA

Other Decks in Programming

Transcript

  1. GitHub Actions CI
    Yoshihiro Wada / @e10dokup
    2023/04/29 @ DroidKaigi.collect { #2@Fukuoka }

    View Slide

  2. {


    “id”: “@e10dokup”,


    “name”: “Yoshihiro Wada”,


    “affiliations”: [


    “CyberAgent Inc, / Ameba”


    ],


    “interested”: [


    “camera”, “gadget”, “driving”, “motorsports”


    ]


    }

    View Slide

  3. GitHub Actions CI
    3

    View Slide

  4. View Slide

  5. View Slide

  6. APK
    AAB
    AAB APK

    Google Play Play App Signing
    Android
    6

    View Slide

  7. 7
    Android Google 3.0

    View Slide

  8. Play Store
    /
    8
    Android Google 3.0

    View Slide

  9. Android Studio Android SDK
    PC
    9

    View Slide

  10. View Slide

  11. keystore jks
    1


    11
    keystore

    View Slide

  12. build.gradle signingCon
    fi
    g
    1
    12
    signingConfigs {


    val releaseKeystore = file("release.keystore")


    if (releaseKeystore.exists()) {


    getByName("release") {


    storeFile = releaseKeystore


    storePassword = "my keystore password"


    keyAlias = "release"


    keyPassword = "my release key password"


    }


    }


    }




    buildTypes {


    getByName("release") {


    signingConfig = signingConfigs.getByName("release")


    }


    }

    View Slide

  13. apksigner/jarsigner
    apksigner Android SDK Build Tools ANDROID_HOME
    2
    13
    // apkΛϦϦʔε伴Ͱॺ໊͢Δ࣌


    apksigner sign --ks release.keystore unsigned.apk


    // aabΛΞοϓϩʔυ伴Ͱॺ໊͢Δ࣌


    jarsigner -verbose \


    -sigalg SHA256withRSA \


    -digestalg SHA-256 \


    -keystore upload.keystore \


    unsigned.aab upload

    View Slide

  14. GitHub Actions

    View Slide

  15. GitHub Actions secrets
    GitHub Actions APK AAB
    15

    View Slide

  16. Base64 secrets
    1
    16
    openssl base64 < release.keystore | tr -d '\n' | tee keystore_encoded.txt
    - name: Decode Keystore


    id: decode_keystore


    uses: timheuer/base64-to-file@v1


    with:


    fileName: 'release.keystore'


    encodedString: ${{ secrets.KEYSTORE }}

    View Slide

  17. pem Base64
    cert.pem /privatekey.pem
    secrets
    2 1
    17
    # keystore͔Βp12ΩʔετΞͱͯ͠伴ΛऔΓग़͢

    keytool -importkeystore -srckeystore release.keystore -srcstoretype JKS \


    -srcalias hogehoge -srcstorepass hogehoge -srckeypass hogehoge \


    -destkeystore keystore.p12 -deststoretype PKCS12 -deststorepass hogehoge


    # p12ΩʔετΞ͔ΒpemܗࣜͰূ໌ॻΛऔΓग़͢

    openssl pkcs12 -in keystore.p12 -out cert.pem




    # p12ΩʔετΞ͔ΒpemܗࣜͰൿີ伴ΛऔΓग़͢

    openssl pkcs12 -in keystore.p12 -nodes -nocerts -out privatekey.pem


    View Slide

  18. pem keystore
    CI CI

    OK
    2 2
    18
    # p12ΩʔετΞΛੜ੒͢Δ


    openssl pkcs12 -export -in cert.pem -name hogehoge -inkey privatekey.pem \


    -passin pass:hogehoge -out keystore.p12 -passout pass:hogehoge


    # p12ΩʔετΞ͔ΒkeystoreʢjksϑΝΠϧʣʹม׵͢Δ༷ࢠ

    keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 \


    -srcstorepass hogehoge -destkeystore keystore.jks -deststoretype JKS \


    -deststorepass hogehoge -destkeypass hogehoge -destalias hogehoge

    View Slide

  19. secrets pem
    pem
    2 3
    19
    - name: echo key pem files


    env:


    CERT_PEM: ${{ secrets.CERT_PEM }}


    PRIVATE_KEY_PEM: ${{ secrets.PRIVATE_KEY_PEM }}


    run: |


    echo “%CERT_PEM%“ > cert.pem


    echo “%CERT_PRIVATE_KEY%” > privatekey.pem
    - name: echo key pem files


    env:


    KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}


    KEY_ALIAS: ${{ secrets.KEY_ALIAS }}


    KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}


    run: |


    ʻP18ͷ಺༰Λ͜͜ʹຒΊΔʼ

    View Slide

  20. build.gradle signingCon
    fi
    g
    1)
    20
    signingConfigs {


    val releaseKeystore = file("release.keystore")


    if (releaseKeystore.exists()) {


    getByName("release") {


    storeFile = releaseKeystore


    storePassword = System.getenv('KEYSTORE_PASSWORD')


    keyAlias = System.getenv('KEY_ALIAS')


    keyPassword = System.getenv('KEY_PASSWORD')


    }


    }


    }

    View Slide

  21. GitHub Actions
    2)
    21
    # APKΛ࡞Δ࣌


    - name: Build release apk


    run: ./gradlew app:assembleRelease


    env:


    KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}


    KEY_ALIAS: ${{ secrets.KEY_ALIAS }}


    KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}


    # AABΛ࡞Δ࣌


    - name: Build release app-bundle


    run: ./gradlew app:bundleRelease


    env:


    KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}


    KEY_ALIAS: ${{ secrets.KEY_ALIAS }}


    KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}

    View Slide


  22. Play App Signing
    AAB Play App Signing
    22

    View Slide