From 5f907125c580be7a3051abef3787d14c07518572 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 12 Jan 2026 19:13:12 +0000 Subject: [PATCH 1/2] Initial plan From 3645d09b2f3e8e46117ebbab038d13131244ae7c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 12 Jan 2026 19:24:47 +0000 Subject: [PATCH 2/2] Ensure debug.keystore is properly ignored in .gitignore - Added clarifying comments to .gitignore patterns for keystore files - Added *.keystore pattern to android/.gitignore for defense-in-depth - Updated KEYSTORE_FILES.md documentation to clarify that debug.keystore is NOT tracked in version control - Fixed misleading documentation that suggested debug.keystore should be committed Co-authored-by: jamespepper81 <84083764+jamespepper81@users.noreply.github.com> --- .gitignore | 2 ++ android/.gitignore | 2 ++ docs/KEYSTORE_FILES.md | 37 +++++++++++++++++++++++-------------- 3 files changed, 27 insertions(+), 14 deletions(-) diff --git a/.gitignore b/.gitignore index 34fe159..963de90 100644 --- a/.gitignore +++ b/.gitignore @@ -15,7 +15,9 @@ expo-env.d.ts *.p8 *.p12 *.key +# Ignore all keystore files (including debug.keystore) *.keystore +# Explicitly ignore Android debug keystore android/app/debug.keystore *.mobileprovision diff --git a/android/.gitignore b/android/.gitignore index e2a0395..281cce5 100644 --- a/android/.gitignore +++ b/android/.gitignore @@ -15,4 +15,6 @@ local.properties # Bundle artifacts *.jsbundle +# Keystore files - never commit these to version control debug.keystore +*.keystore diff --git a/docs/KEYSTORE_FILES.md b/docs/KEYSTORE_FILES.md index 3908cf2..9be337e 100644 --- a/docs/KEYSTORE_FILES.md +++ b/docs/KEYSTORE_FILES.md @@ -1,23 +1,23 @@ # Keystore Files in BitSleuth Wallet -This document provides a comprehensive overview of keystore files found in the BitSleuth Wallet repository and their purposes. +This document provides a comprehensive overview of keystore file configuration in the BitSleuth Wallet repository. ## Overview -Keystores are used in Android development to sign applications. This repository contains a debug keystore for development purposes. Production keystores are intentionally excluded from version control for security reasons. +Keystores are used in Android development to sign applications. This repository does **not** include keystore files in version control. Each developer generates their own debug keystore locally for development purposes. Production keystores are intentionally excluded from version control for security reasons. -## Keystore Files Found +## Keystore Files Configuration ### 1. Android Debug Keystore -**Location:** `android/app/debug.keystore` +**Location:** `android/app/debug.keystore` (not included in repository) **Type:** Java KeyStore (JKS) -**Size:** 2.3 KB +**Status:** This file is **NOT** tracked in version control and is excluded via `.gitignore`. Each developer generates their own debug keystore locally. **Purpose:** Used for signing debug and development builds of the Android application. -**Credentials:** +**Default Credentials:** - **Store Password:** `android` - **Key Alias:** `androiddebugkey` - **Key Password:** `android` @@ -34,6 +34,14 @@ signingConfigs { } ``` +**How to Generate:** Android Studio and Gradle automatically generate a debug keystore when building the app if one doesn't exist. Alternatively, you can manually create one using: +```bash +keytool -genkey -v -keystore android/app/debug.keystore \ + -alias androiddebugkey -keyalg RSA -keysize 2048 \ + -validity 10000 -storepass android -keypass android \ + -dname "CN=Android Debug,O=Android,C=US" +``` + **Security Note:** This is a standard Android debug keystore with default credentials. It should **NEVER** be used for production releases. These default credentials are publicly known and are only suitable for development and testing purposes. ## Production Keystore Configuration @@ -107,8 +115,8 @@ The repository's `.gitignore` file includes the following keystore-related exclu ```gitignore # Android keystores *.jks # Java KeyStore files (Android production keystores) -*.keystore # Android keystore files -!android/app/debug.keystore # Exception: Allow debug keystore (safe, uses default credentials) +*.keystore # Android keystore files (including debug.keystore) +android/app/debug.keystore # Explicitly ignore debug keystore # iOS certificates and provisioning *.p12 # PKCS12 certificate files @@ -117,13 +125,13 @@ The repository's `.gitignore` file includes the following keystore-related exclu *.mobileprovision # iOS provisioning profiles ``` -These patterns ensure that production keystores and other sensitive key material are never accidentally committed to version control, while allowing the debug keystore to remain tracked since it uses publicly-known default credentials. +These patterns ensure that **all keystore files**, including debug.keystore, are never accidentally committed to version control. While the debug keystore uses default, publicly-known credentials, it is still excluded from version control to prevent confusion and maintain consistency. -**Important:** The `debug.keystore` is explicitly allowed via the negation pattern `!android/app/debug.keystore` because it's safe for version control. +**Important:** The `debug.keystore` is **NOT** tracked in version control. Each developer should generate their own debug keystore locally, or Android Studio will generate one automatically when building the app. ## Android-Specific Gitignore -The `android/.gitignore` file does not explicitly exclude keystore files, as the root `.gitignore` covers them through the `*.keystore` and `*.jks` patterns. The debug keystore is intentionally tracked in version control (via the negation pattern `!android/app/debug.keystore`) as it uses default, publicly-known credentials and is safe to share. +The `android/.gitignore` file also explicitly excludes `debug.keystore` to ensure it is never tracked, regardless of where it is generated within the Android project directory. This provides defense-in-depth against accidentally committing keystore files. ## iOS-Specific Gitignore @@ -178,7 +186,8 @@ For production builds with EAS: ## Summary -The BitSleuth Wallet repository contains only one keystore file: -- **`android/app/debug.keystore`**: Standard Android debug keystore for development +The BitSleuth Wallet repository **does not contain any keystore files in version control**: +- **`android/app/debug.keystore`**: Generated locally by each developer for debug builds (not tracked in git) +- All keystore files (`.keystore`, `.jks`) are excluded via `.gitignore` -Production keystores are intentionally excluded and must be generated separately with secure credentials before releasing the application to end users. +Production keystores must be generated separately with secure credentials and stored securely outside version control before releasing the application to end users.