Security Concern

[paschaldev]

Is it safe to commit your keystore file as well as the signing credentials in a repo?

[FanchenBao]

The .keystore file obviously must be git ignored.

The password for keystore and key shall not be committed as well. The official doc of react native provides another option to store them in ~/.gradle/gradle.properties, which is not part of the app. This way, there is no chance of leaking secure information.

However, I presume that if we are using the global ~/.gradle/gradle.properties, each keystore and alias must identify the app itself to prevent conflict with future projects.

[osamaqarem]

Is it safe to commit your keystore file as well as the signing credentials in a repo?

If it's a private repo and only people who are authorized to deploy the app can access it, I suppose its fine to commit the key and credentials. Otherwise it should be kept on your machine.

For signing credentials, I will add to the reply above that you can also use local.properties (or create any *.properties file) instead of gradle.properties to store them and not commit it to repo. But you will need to add more code to app/build.gradle to read the credentials from that file.

Because there are many approaches to securing your key/credentials, I think its better if we keep the instructions for the guide simple for now (add a note with a link to this issue maybe). People who are concerned about security will probably look into it and figure something out that works for them.