diff --git a/.gitignore b/.gitignore index 34fe159..963de90 100644 --- a/.gitignore +++ b/.gitignore @@ -15,7 +15,9 @@ expo-env.d.ts *.p8 *.p12 *.key +# Ignore all keystore files (including debug.keystore) *.keystore +# Explicitly ignore Android debug keystore android/app/debug.keystore *.mobileprovision diff --git a/android/.gitignore b/android/.gitignore index e2a0395..281cce5 100644 --- a/android/.gitignore +++ b/android/.gitignore @@ -15,4 +15,6 @@ local.properties # Bundle artifacts *.jsbundle +# Keystore files - never commit these to version control debug.keystore +*.keystore diff --git a/docs/KEYSTORE_FILES.md b/docs/KEYSTORE_FILES.md index 3908cf2..9be337e 100644 --- a/docs/KEYSTORE_FILES.md +++ b/docs/KEYSTORE_FILES.md @@ -1,23 +1,23 @@ # Keystore Files in BitSleuth Wallet -This document provides a comprehensive overview of keystore files found in the BitSleuth Wallet repository and their purposes. +This document provides a comprehensive overview of keystore file configuration in the BitSleuth Wallet repository. ## Overview -Keystores are used in Android development to sign applications. This repository contains a debug keystore for development purposes. Production keystores are intentionally excluded from version control for security reasons. +Keystores are used in Android development to sign applications. This repository does **not** include keystore files in version control. Each developer generates their own debug keystore locally for development purposes. Production keystores are intentionally excluded from version control for security reasons. -## Keystore Files Found +## Keystore Files Configuration ### 1. Android Debug Keystore -**Location:** `android/app/debug.keystore` +**Location:** `android/app/debug.keystore` (not included in repository) **Type:** Java KeyStore (JKS) -**Size:** 2.3 KB +**Status:** This file is **NOT** tracked in version control and is excluded via `.gitignore`. Each developer generates their own debug keystore locally. **Purpose:** Used for signing debug and development builds of the Android application. -**Credentials:** +**Default Credentials:** - **Store Password:** `android` - **Key Alias:** `androiddebugkey` - **Key Password:** `android` @@ -34,6 +34,14 @@ signingConfigs { } ``` +**How to Generate:** Android Studio and Gradle automatically generate a debug keystore when building the app if one doesn't exist. Alternatively, you can manually create one using: +```bash +keytool -genkey -v -keystore android/app/debug.keystore \ + -alias androiddebugkey -keyalg RSA -keysize 2048 \ + -validity 10000 -storepass android -keypass android \ + -dname "CN=Android Debug,O=Android,C=US" +``` + **Security Note:** This is a standard Android debug keystore with default credentials. It should **NEVER** be used for production releases. These default credentials are publicly known and are only suitable for development and testing purposes. ## Production Keystore Configuration @@ -107,8 +115,8 @@ The repository's `.gitignore` file includes the following keystore-related exclu ```gitignore # Android keystores *.jks # Java KeyStore files (Android production keystores) -*.keystore # Android keystore files -!android/app/debug.keystore # Exception: Allow debug keystore (safe, uses default credentials) +*.keystore # Android keystore files (including debug.keystore) +android/app/debug.keystore # Explicitly ignore debug keystore # iOS certificates and provisioning *.p12 # PKCS12 certificate files @@ -117,13 +125,13 @@ The repository's `.gitignore` file includes the following keystore-related exclu *.mobileprovision # iOS provisioning profiles ``` -These patterns ensure that production keystores and other sensitive key material are never accidentally committed to version control, while allowing the debug keystore to remain tracked since it uses publicly-known default credentials. +These patterns ensure that **all keystore files**, including debug.keystore, are never accidentally committed to version control. While the debug keystore uses default, publicly-known credentials, it is still excluded from version control to prevent confusion and maintain consistency. -**Important:** The `debug.keystore` is explicitly allowed via the negation pattern `!android/app/debug.keystore` because it's safe for version control. +**Important:** The `debug.keystore` is **NOT** tracked in version control. Each developer should generate their own debug keystore locally, or Android Studio will generate one automatically when building the app. ## Android-Specific Gitignore -The `android/.gitignore` file does not explicitly exclude keystore files, as the root `.gitignore` covers them through the `*.keystore` and `*.jks` patterns. The debug keystore is intentionally tracked in version control (via the negation pattern `!android/app/debug.keystore`) as it uses default, publicly-known credentials and is safe to share. +The `android/.gitignore` file also explicitly excludes `debug.keystore` to ensure it is never tracked, regardless of where it is generated within the Android project directory. This provides defense-in-depth against accidentally committing keystore files. ## iOS-Specific Gitignore @@ -178,7 +186,8 @@ For production builds with EAS: ## Summary -The BitSleuth Wallet repository contains only one keystore file: -- **`android/app/debug.keystore`**: Standard Android debug keystore for development +The BitSleuth Wallet repository **does not contain any keystore files in version control**: +- **`android/app/debug.keystore`**: Generated locally by each developer for debug builds (not tracked in git) +- All keystore files (`.keystore`, `.jks`) are excluded via `.gitignore` -Production keystores are intentionally excluded and must be generated separately with secure credentials before releasing the application to end users. +Production keystores must be generated separately with secure credentials and stored securely outside version control before releasing the application to end users.