Best Practices for Managing Keystore Files in CI/CD Pipelines for Android Flutter Apps

Hello everyone,

I’m currently building an Android Flutter app using a CI/CD pipeline and facing a challenge with securely managing my keystore (.jks) file.

In my setup, I’m storing the .jks file in Google Secret Manager. During the build process, my script fetches the keystore file from Secret Manager and uses it for signing the build. Here’s a summary of my current workflow:

1. Store the keystore file in Google Secret Manager as a secret.
2. Fetch the keystore during the build using a Google Cloud command (gcloud secrets versions access latest).
3. Use it in the Android build process.

I want to ensure that this approach adheres to best practices for security and maintainability. Specifically, I’d like to know:

• Are there alternative or better ways to handle .jks files in CI/CD pipelines?
• How do others in the community manage their keystore files securely while building Android apps?
• Any tips to improve or further secure this workflow?

Looking forward to hearing your thoughts and experiences.

Thanks in advance!

Best Regards.,

Karpaga Selvan