Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
170 views
in Technique[技术] by (71.8m points)

java - Is there any reason I shouldn't store my keystore in version control?

I'm using a keystore (.jks) to store the certificate I use to sign my Android applications. The Android documentation and community have impressed on me the importance of never losing this file, but I haven't found any guidance on where I should keep it.

Would storing it in Git be a terrible idea (i.e. would it have security consequences)?

Assume that the keystore itself and the private keys inside both have strong passwords on them.

question from:https://stackoverflow.com/questions/17491794/is-there-any-reason-i-shouldnt-store-my-keystore-in-version-control

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Anyone with read access to your Git repo will get the private key. This is considered a security issue and for that reason it is not recommended. If your GIT repo is completely private meaning no one but you has access to it (NOT A private repo on i.e. GitHub, but rather git repo on local disk or in the infrastructure you control in 100%) then putting your private key there is as safe as keeping it on your local disk.

Assume that the keystore itself and the private keys inside both have strong passwords on them

Note that password is your last way of defense in case of your ("public") private key. If it will be compromised in any way (guessed, stolen, cracked) then it's over.

Additionally, I am more than certain that not all (if any) of devs needs access to release keys. If you need them to have it, hand it off the repo. But I'd first rethink the security policy.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...