Upgrade to Pro — share decks privately, control downloads, hide ads and more …

アプリに署名する 〜GitHub ActionsでのCIも見据えて〜

Yoshihiro WADA
April 29, 2023
Programming
0
520

アプリに署名する 〜GitHub ActionsでのCIも見据えて〜

2023/4/29に開催されたDroidKaigi.collect { #2@Fukuoka }で登壇した「アプリに署名する 〜GitHub ActionsでのCIも見据えて〜」の資料です

Yoshihiro WADA

April 29, 2023
Tweet

More Decks by Yoshihiro WADA

See All by Yoshihiro WADA
Firebase App Distributionのテストアプリ配信を試しやすくする
e10dokup
0
160
Profileable buildでより正確なパフォーマンスを掴む
e10dokup
0
580
[DroidKaigi 2021] メディアアクセス古今東西 / Now and Future of Media Access
e10dokup
0
2.2k
今更「dp」を考える / Let's think about "dp" now
e10dokup
0
4.1k
1から学ぶAndroidアプリデバッグ - アプリの動作を追いかけよう / Learn Android application debugging from the scratch - track apps' behaviors
e10dokup
10
2.7k
Guide to background processingを読んでみる / Reading "Guide to background processing"
e10dokup
0
210
よしなに頑張る画像ロードの話 / image load mettya tsurai
e10dokup
2
370
WorkManager Stableに向けての所感
e10dokup
2
380
いまさらWorkManager
e10dokup
1
750

Other Decks in Programming

See All in Programming
PicoRuby から始めるたのしい電子工作
ogom
0
540
2023/09/23 「AIキャラクターの言動に深みを持たせる」
sr2mg4
1
400
リアーキテクチャによってどうなりたいか/re-architecture
suzukihoge
2
300
GO TechTalk #22 Reactで描くタクシーアプリ『GO』の世界
mot_techtalk
0
170
Push通知許諾率向上へのアプローチ
miyabigouji
0
880
Flutterにおけるアプリ内課金実装 -Android/iOS完全なる統一 -
nacatl
1
680
SmartHRのパフォーマンス改善が 総力戦だった話
daisukeshinoku
8
3.4k
A JVM Threading Model for the containerized times
lhespanha
0
710
Managing State Beyond ViewModels and Hilt (Updated)
vrallev
3
630
Next.js × AWS App Runner × AWS AppSyncで進めるクライアントファーストのWEB開発
okaharuna
4
1.8k
Decoding Code Review - Elixir Conf US
elainenaomi
3
200
Jetpack Compose の Side-effect を使いこなす / DroidKaigi 2023
star_zero
1
680

Featured

See All Featured
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
177
9.8k
Fireside Chat
paigeccino
18
2.2k
The Language of Interfaces
destraynor
149
22k
Unsuck your backbone
ammeep
660
56k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.4k
Agile that works and the tools we love
rasmusluckow
323
20k
Large-scale JavaScript Application Architecture
addyosmani
501
110k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
50k
What's in a price? How to price your products and services
michaelherold
236
10k
Ruby is Unlike a Banana
tanoku
93
9.9k
Being A Developer After 40
akosma
52
580k
Adopting Sorbet at Scale
ufuk
66
8.1k

Transcript

  1. GitHub Actions CI
    Yoshihiro Wada / @e10dokup
    2023/04/29 @ DroidKaigi.collect { #2@Fukuoka }

    View Slide

  2. {


    “id”: “@e10dokup”,


    “name”: “Yoshihiro Wada”,


    “affiliations”: [


    “CyberAgent Inc, / Ameba”


    ],


    “interested”: [


    “camera”, “gadget”, “driving”, “motorsports”


    ]


    }

    View Slide

  3. GitHub Actions CI
    3

    View Slide

  4. View Slide

  5. View Slide

  6. APK
    AAB
    AAB APK

    Google Play Play App Signing
    Android
    6

    View Slide

  7. 7
    Android Google 3.0

    View Slide

  8. Play Store
    /
    8
    Android Google 3.0

    View Slide

  9. Android Studio Android SDK
    PC
    9

    View Slide

  10. View Slide

  11. keystore jks
    1


    11
    keystore

    View Slide

  12. build.gradle signingCon
    fi
    g
    1
    12
    signingConfigs {


    val releaseKeystore = file("release.keystore")


    if (releaseKeystore.exists()) {


    getByName("release") {


    storeFile = releaseKeystore


    storePassword = "my keystore password"


    keyAlias = "release"


    keyPassword = "my release key password"


    }


    }


    }




    buildTypes {


    getByName("release") {


    signingConfig = signingConfigs.getByName("release")


    }


    }

    View Slide

  13. apksigner/jarsigner
    apksigner Android SDK Build Tools ANDROID_HOME
    2
    13
    // apkΛϦϦʔε伴Ͱॺ໊͢Δ࣌


    apksigner sign --ks release.keystore unsigned.apk


    // aabΛΞοϓϩʔυ伴Ͱॺ໊͢Δ࣌


    jarsigner -verbose \


    -sigalg SHA256withRSA \


    -digestalg SHA-256 \


    -keystore upload.keystore \


    unsigned.aab upload

    View Slide

  14. GitHub Actions

    View Slide

  15. GitHub Actions secrets
    GitHub Actions APK AAB
    15

    View Slide

  16. Base64 secrets
    1
    16
    openssl base64 < release.keystore | tr -d '\n' | tee keystore_encoded.txt
    - name: Decode Keystore


    id: decode_keystore


    uses: timheuer/base64-to-file@v1


    with:


    fileName: 'release.keystore'


    encodedString: ${{ secrets.KEYSTORE }}

    View Slide

  17. pem Base64
    cert.pem /privatekey.pem
    secrets
    2 1
    17
    # keystore͔Βp12ΩʔετΞͱͯ͠伴ΛऔΓग़͢

    keytool -importkeystore -srckeystore release.keystore -srcstoretype JKS \


    -srcalias hogehoge -srcstorepass hogehoge -srckeypass hogehoge \


    -destkeystore keystore.p12 -deststoretype PKCS12 -deststorepass hogehoge


    # p12ΩʔετΞ͔ΒpemܗࣜͰূ໌ॻΛऔΓग़͢

    openssl pkcs12 -in keystore.p12 -out cert.pem




    # p12ΩʔετΞ͔ΒpemܗࣜͰൿີ伴ΛऔΓग़͢

    openssl pkcs12 -in keystore.p12 -nodes -nocerts -out privatekey.pem


    View Slide

  18. pem keystore
    CI CI

    OK
    2 2
    18
    # p12ΩʔετΞΛੜ੒͢Δ


    openssl pkcs12 -export -in cert.pem -name hogehoge -inkey privatekey.pem \


    -passin pass:hogehoge -out keystore.p12 -passout pass:hogehoge


    # p12ΩʔετΞ͔ΒkeystoreʢjksϑΝΠϧʣʹม׵͢Δ༷ࢠ

    keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 \


    -srcstorepass hogehoge -destkeystore keystore.jks -deststoretype JKS \


    -deststorepass hogehoge -destkeypass hogehoge -destalias hogehoge

    View Slide

  19. secrets pem
    pem
    2 3
    19
    - name: echo key pem files


    env:


    CERT_PEM: ${{ secrets.CERT_PEM }}


    PRIVATE_KEY_PEM: ${{ secrets.PRIVATE_KEY_PEM }}


    run: |


    echo “%CERT_PEM%“ > cert.pem


    echo “%CERT_PRIVATE_KEY%” > privatekey.pem
    - name: echo key pem files


    env:


    KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}


    KEY_ALIAS: ${{ secrets.KEY_ALIAS }}


    KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}


    run: |


    ʻP18ͷ಺༰Λ͜͜ʹຒΊΔʼ

    View Slide

  20. build.gradle signingCon
    fi
    g
    1)
    20
    signingConfigs {


    val releaseKeystore = file("release.keystore")


    if (releaseKeystore.exists()) {


    getByName("release") {


    storeFile = releaseKeystore


    storePassword = System.getenv('KEYSTORE_PASSWORD')


    keyAlias = System.getenv('KEY_ALIAS')


    keyPassword = System.getenv('KEY_PASSWORD')


    }


    }


    }

    View Slide

  21. GitHub Actions
    2)
    21
    # APKΛ࡞Δ࣌


    - name: Build release apk


    run: ./gradlew app:assembleRelease


    env:


    KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}


    KEY_ALIAS: ${{ secrets.KEY_ALIAS }}


    KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}


    # AABΛ࡞Δ࣌


    - name: Build release app-bundle


    run: ./gradlew app:bundleRelease


    env:


    KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}


    KEY_ALIAS: ${{ secrets.KEY_ALIAS }}


    KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}

    View Slide


  22. Play App Signing
    AAB Play App Signing
    22

    View Slide