Con: Adds a sensitive file to Nix Store, which will cause it to end up in our Nix Binary Cache
Con: Fails with: Keystore was tampered with, or password was incorrect
probably due to permissions changes?
Use the extra-sandbox-paths to use the file directly from where it’s located.
Pro: Not adding the sensitive file to Nix Store
Con: On NixOS this fails with: ignoring the user-specified setting 'extra-sandbox-paths', because it is a restricted setting and you are not a trusted user
Is there some other third way I can do this? Or maybe some way I can make extra-sandbox-paths work on NixOS?
Probably the best way would be to just use a small shell wrapper around Nix to sign the resulting APK.
That way your build is still clean and you do not have any secrets flying around.
You could even have the signature script be generated through Nix:
Something roughly like this:
{ pkgs, ... }:
let apk = (import ./apk.nix);
in
pkgs.writeShellScript "sign-apk" ''
#!{stdenv.shell}
${pkgs.androidtools}/bin/sign --key /home/my/key --apk ${apk}
'';
That script is not run during the build process, it’s just generated during the build process.
You tell nix to build the script and all its dependencies, which will automatically build the apk.
Then you manually run the generated script, which will generate the signed apk.
I’ve never built an App myself, so the exact steps are probably way off, but I was only trying to point out a rough direction.
Similar to what you would do in industry. At runtime have the application read from a file or environment the information you need. You just want avoid adding the information to the store.