Sign APK without exposing keystore password

suggest change

You can define the signing configuration to sign the apk in the build.gradle file using these properties:

In many case you may need to avoid this kind of info in the build.gradle file.

Method A: Configure release signing using a file

It’s possible to configure your app’s build.gradle so that it will read your signing configuration information from a properties file like

Setting up signing like this is beneficial because:

First, create a file called in the root of your project with content like this (replacing the values with your own):


Now, in your app’s build.gradle file, set up the signingConfigs block as follows:

android {

signingConfigs { release { def propsFile = rootProject.file(‘’) if (propsFile.exists()) { def props = new Properties() props.load(new FileInputStream(propsFile)) storeFile = file(props[‘storeFile’]) storePassword = props[‘storePassword’] keyAlias = props[‘keyAlias’] keyPassword = props[‘keyPassword’] } } }


That’s really all there is to it, but don’t forget to exclude both your keystore file and your file from version control.

A couple of things to note:

Method B: By using an environment variable

The same can be achieved also without a properties file, making the password harder to find:

android {

  signingConfigs {
    release {
        storeFile file('/your/keystore/location/key')
        keyAlias 'your_alias'
        String ps = System.getenv("ps")
        if (ps == null) {
             throw new GradleException('missing ps env variable')
        keyPassword ps
        storePassword ps

The "ps" environment variable can be global, but a safer approach can be by adding it to the shell of Android Studio only. In linux this can be done by editing Android Studio’s Desktop Entry

Exec=sh -c "export ps=myPassword123 ; /path/to/"

You can find more details in this topic.

Feedback about page:

Optional: your email if you want me to get back to you:

Table Of Contents