Normally a new technology takes me several months to get to a point where I can feel productive on my own, but with React Native it only took a few days, so huge kudos to them for setting up outstanding projects and the engineers at Facebook for creating such an awesome framework. Under the tutelage of Steve Kellock, Gant Laborde, and Mark Rickert, I was shocked at how quickly I was able to ramp up on this new technology.
In a future article, we will discuss how to plug this last security hole.As a software engineer at Infinite Red, I have been privileged to work on several React Native projects over the last month. There is still one problem remaining, however: our passwords are stored in plaintext.
Your upload key passwords are still stored within your app codebase, but they are cleanly separated from the rest of your code and will not be checked into version control.
You should now have Android app signing configured for your React Native app. Upload your app bundle to the Google Play Console and opt in to App Signing by Google Play when prompted. If you've set up everything correctly, your build will sign your app bundle with your new upload key, producing an app bundle at android/app/build/outputs/bundle/release/app-release.aab. To build your release bundle run the following from the android directory: $. If you're not using git, check your VCS's documentation to determine how to add to your ignore list. gitignore to prevent accidentally checking in your passwords stored in. Step 3 - Configure your VCS to ignore your upload key passwords We also guard against the case where the release properties file doesn't exist (perhaps someone on your team without release key access is mistakenly trying to run a release a build) you will simply see a signing failed error in this case. The code reads fairly well, but what we are doing is reading in the upload key properties we have defined in app/ and telling Gradle to use them for our release builds. ProguardFiles getDefaultProguardFile("proguard-android.txt"), "proguard-rules.pro" MinifyEnabled enableProguardInReleaseBuilds SigningConfig signingConfigs.release // 'bug' -> 'signingConfigs.release' KeystoreProperties.load(new FileInputStream(keystorePropertiesFile)) ĭef keystorePropertiesFile = rootProject.file('app/')ĭef keystoreProperties = new Properties()
Now update android/app/adle to use the properties file you just created. This way, your secrets (although still in plaintext) are at least separated from the rest of your codebase.įirst create android/app/ and add your keystore config: key.store=upload.keystore gitignore (or, if you're not using git, your VCS's equivalent) so you don't commit it to source control. Instead, what you can do is create a separate file and keep it within your app's workspace, but add it to your. If you work on multiple Android projects, mixing up your upload key passwords in a single user-wide file can be messy, and the alternative of storing them in the checked-in file android/gradle.properties is a no-no since the passwords are stored in plaintext. The official docs ask you to add your key passwords to either the user-wide ~/.gradle/gradle.properties or your app's android/gradle.properties. This is where the official docs aren't that great. Step 2 - Configure your build to use the upload key