Storing keystores keyPassword and keyStorePassword on public version control server

Question

We’re developing a new android application in IntelliJ IDEA and use artifacts to simplify package signing process. The release keystore is located locally. We are using a public VCS and we are worry about storing keyPassword and keyStorePassword on it.

We couldn’t find anything about the algorithm used to encrypt these values. So, we suppose it might be some vulnerability in storing them on a public server.

Is there anybody who knows some more details about that and give us an advice?

Thank you

Answer 1

We don't recommend storing you Android artifacts with keystore passwords on the public VCS servers, I've outlined it in the KB article.

Encryption is used just to hide the password from the eyes, but it can be easily decrypted (code for encryption/decryption is public). This is done by intention, so that your CI server can build these artifacts (TeamCity should support it).

You can opt for sharing these artifacts only if you are not afraid that your keystore password will become public. If you are sure that the keystore itself is 100% secure and will not be available to public, making its password available would not heart, but it obviously increases the chances to leak your keystore some day together with the password and compromise the applications on Play Store.