2023/4/29に開催されたDroidKaigi.collect { #2@Fukuoka }で登壇した「アプリに署名する 〜GitHub ActionsでのCIも見据えて〜」の資料です
GitHub Actions CIYoshihiro Wada / @e10dokup2023/04/29 @ DroidKaigi.collect { #2@Fukuoka }
View Slide
{“id”: “@e10dokup”,“name”: “Yoshihiro Wada”,“affiliations”: [“CyberAgent Inc, / Ameba”],“interested”: [“camera”, “gadget”, “driving”, “motorsports”]}
GitHub Actions CI3
APKAABAAB APK Google Play Play App SigningAndroid6
7Android Google 3.0
Play Store/8Android Google 3.0
Android Studio Android SDKPC9
keystore jks1 11keystore
build.gradle signingConfig112signingConfigs {val releaseKeystore = file("release.keystore")if (releaseKeystore.exists()) {getByName("release") {storeFile = releaseKeystorestorePassword = "my keystore password"keyAlias = "release"keyPassword = "my release key password"}}}buildTypes {getByName("release") {signingConfig = signingConfigs.getByName("release")}}
apksigner/jarsignerapksigner Android SDK Build Tools ANDROID_HOME213// apkΛϦϦʔε伴Ͱॺ໊͢Δ࣌apksigner sign --ks release.keystore unsigned.apk// aabΛΞοϓϩʔυ伴Ͱॺ໊͢Δ࣌jarsigner -verbose \-sigalg SHA256withRSA \-digestalg SHA-256 \-keystore upload.keystore \unsigned.aab upload
GitHub Actions
GitHub Actions secretsGitHub Actions APK AAB15
Base64 secrets116openssl base64 < release.keystore | tr -d '\n' | tee keystore_encoded.txt- name: Decode Keystoreid: decode_keystoreuses: timheuer/base64-to-file@v1with:fileName: 'release.keystore'encodedString: ${{ secrets.KEYSTORE }}
pem Base64cert.pem /privatekey.pemsecrets2 117# keystore͔Βp12ΩʔετΞͱͯ͠伴ΛऔΓग़͢ keytool -importkeystore -srckeystore release.keystore -srcstoretype JKS \-srcalias hogehoge -srcstorepass hogehoge -srckeypass hogehoge \-destkeystore keystore.p12 -deststoretype PKCS12 -deststorepass hogehoge# p12ΩʔετΞ͔ΒpemܗࣜͰূ໌ॻΛऔΓग़͢ openssl pkcs12 -in keystore.p12 -out cert.pem# p12ΩʔετΞ͔ΒpemܗࣜͰൿີ伴ΛऔΓग़͢ openssl pkcs12 -in keystore.p12 -nodes -nocerts -out privatekey.pem
pem keystoreCI CI OK2 218# p12ΩʔετΞΛੜ͢Δopenssl pkcs12 -export -in cert.pem -name hogehoge -inkey privatekey.pem \-passin pass:hogehoge -out keystore.p12 -passout pass:hogehoge# p12ΩʔετΞ͔ΒkeystoreʢjksϑΝΠϧʣʹม͢Δ༷ࢠ keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 \-srcstorepass hogehoge -destkeystore keystore.jks -deststoretype JKS \-deststorepass hogehoge -destkeypass hogehoge -destalias hogehoge
secrets pempem2 319- name: echo key pem filesenv:CERT_PEM: ${{ secrets.CERT_PEM }}PRIVATE_KEY_PEM: ${{ secrets.PRIVATE_KEY_PEM }}run: |echo “%CERT_PEM%“ > cert.pemecho “%CERT_PRIVATE_KEY%” > privatekey.pem- name: echo key pem filesenv:KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}KEY_ALIAS: ${{ secrets.KEY_ALIAS }}KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}run: |ʻP18ͷ༰Λ͜͜ʹຒΊΔʼ
build.gradle signingConfig1)20signingConfigs {val releaseKeystore = file("release.keystore")if (releaseKeystore.exists()) {getByName("release") {storeFile = releaseKeystorestorePassword = System.getenv('KEYSTORE_PASSWORD')keyAlias = System.getenv('KEY_ALIAS')keyPassword = System.getenv('KEY_PASSWORD')}}}
GitHub Actions2)21# APKΛ࡞Δ࣌- name: Build release apkrun: ./gradlew app:assembleReleaseenv:KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}KEY_ALIAS: ${{ secrets.KEY_ALIAS }}KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}# AABΛ࡞Δ࣌- name: Build release app-bundlerun: ./gradlew app:bundleReleaseenv:KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}KEY_ALIAS: ${{ secrets.KEY_ALIAS }}KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
Play App SigningAAB Play App Signing22