android build release apk on jenkins, without storing my password in plain text

Question

I need to be able to build the release version of my apk, using a Jenkins job.

From reading the following SO question

How to create a release signed apk file u

Answer 1

If your Jenkins instance happens to be running on EC2, and you don't want to permanently store secrets in the file system, you can put the store and key passwords into Systems Manager Parameter Store, then query them at build time. In addition, you can put the keystore itself into external storage, such as S3, and only keep it locally for the duration of the build.

Here is a sample build script (assume that the secret parameters are named android-keystore-pass and android-signature-key-pass):

set -o errexit
set -o pipefail

keystore_file=keystore.properties
keystore=wise.jks

aws s3 cp s3://path-to-android/$keystore .

chmod go-rwx $keystore

touch $keystore_file
chmod go-rwx $keystore_file

cat > $keystore_file << EOF
storePassword=`aws ssm get-parameters --names android-keystore-pass --with-decryption | cut -f4`
keyPassword=`aws ssm get-parameters --names android-signature-key-pass --with-decryption | cut -f4`
keyAlias=android
storeFile=$WORKSPACE/$keystore
EOF

An example of the Gradle build scripts can be found in this answer. You can commit a dummy keystore.properties to source control so that (non-release) builds work on dev machines.

There are also open-source secret distribution tools that are platform-independent, e.g. Vault, but I haven't tried any of them.