DEV Community

Cover image for Sign Android apps using 1Password
Julian Finkler
Julian Finkler

Posted on

Sign Android apps using 1Password

#android #automation #appdev #security

German is also available: https://dev.to/devtronic/android-apps-mithilfe-von-1password-signiere-472o

Android developers know: If you want to upload an app to the Google Play Store, the app bundle or APK must be signed with a key.

As an individual developer, the process is relatively straightforward:

  1. Create a Java Key Store (JKS)
  2. Add a signing key to the JKS
  3. Create a key.properties file containing details such as the key alias and password
  4. Use this to sign the app

The JKS should not be committed

From a security perspective, neither the JKS nor the properties file should be committed to a VCS. This introduces several challenges:

  • I need to ensure the JKS is stored in a secure location to avoid loss.
  • When working in a team, every developer must store the JKS and properties file locally.
  • If a new key is added to the JKS, all other developers must update their file accordingly.

This can become very tedious, which is why I looked for an alternative, better approach that avoids dealing with files.

1Password to the rescue

1Password is primarily a password manager. However, over the years, especially for developers, quite a few useful features have been added. One of them is the 1Password CLI – a very practical tool that allows you to retrieve data from 1Password.

That’s when I had an idea: Why store and exchange these highly sensitive files manually if we can manage them centrally in 1Password instead? I hoped for the following advantages:

  • A single location to store the information
  • Gradle reads the information directly from 1Password – no need to place files manually
  • New keys are automatically available to all developers when the JKS in 1Password is updated
  • No sensitive data in the repository (especially relevant in the age of AI agents)

Setup Instructions

1Password CLI

First, install the 1Password CLI (op). You can find out how in the official documentation: https://developer.1password.com/docs/cli/get-started/

Then run the command op signin in your terminal to log in.

Create the JKS

If you don’t have a JKS yet, you can create one easily in Android Studio via

Build > Generate Signed App Bundle or APK.

It’s important to write down the values you enter there — we will transfer them to 1Password in the next step.

JKS Setup in Android Studio

Creating a JKS in Android Studio

Store the information in 1Password

Before Gradle can load the information from 1Password, an entry must exist.

I first created a new vault (name: AndroidDevelopment). Then I created a new entry of type password.

As a naming convention, I use something URL-safe. Username and password can be left empty. Instead, add the following fields:

  • KEY_ALIAS = Text → Enter the key alias
  • KEYSTORE_PASSWORD = Password → Password of the JKS
  • KEY_PASSWORD = Password → Password of the key
  • Finally, add the keystore.jks file as an attachment (the filename will be used exactly as-is)

Signature data in 1Password

Signature information created in 1Password

You can then save the entry.

Adjust the Gradle script

Finally, Gradle needs to be configured to load data from 1Password using the CLI.

I've summarized the required changes in this GitHub Gist. The only thing you need to adapt is line 5 (val secretsItem). Here you need to specify the correct path to your 1Password entry (op://VAULT_NAME/ENTRY_NAME). Apart from that, you can use the script 1:1.

https://gist.github.com/devtronic/8db7a0a8607eabce0afb97c55fd60819

How it works

The core of the solution is the _runOp_ function, which communicates with the 1Password CLI. Additionally, there are two tasks:

  • prepareKeystore → Loads the JKS from 1Password and places the file in the correct location
  • cleanupKeystore → Deletes the JKS right after the build process

Hooks for assembleRelease and bundleRelease are then configured to trigger the tasks.

The variables keystorePassword, keyAliasValue, and keyPasswordValue are loaded accordingly and later used in the signingConfigs.

Build the app

Now you’re ready to build the app. During the build, you’ll see the familiar 1Password popup asking you to grant access.

Grant access to 1Password

Grant access to 1Password

Conclusion

With just a few steps, this method ensures that signing Android apps remains simple even in larger teams. Additionally, it allows secure signing within CI/CD pipelines, without needing to commit the JKS or load it via workarounds.

Top comments (0)