使用本地凭据
了解如何在使用 EAS 时配置和使用本地凭据。
通常,你可以通过让 EAS 为你处理来避免成为代码签名专家。然而,也有一些情况,一些用户可能希望自己管理项目的密钥库、证书和配置文件。
🌐 You can usually get away with not being a code signing expert by letting EAS handle it for you. However, there are cases where some users might want to manage their project keystore, certificates and profiles on their own.
如果你想管理自己的应用签名凭证,可以使用 credentials.json 来为 EAS Build 提供本地文件系统中凭证的相对路径及其相关密码,以便用于签名你的构建。
🌐 If you would like to manage your own app signing credentials, you can use credentials.json to give EAS Build relative paths to the credentials on your local file system and their associated passwords to use them to sign your builds.
credentials.json
如果你选择本地凭据配置,你需要在项目根目录下创建一个 credentials.json 文件,它的内容大概如下:
🌐 If you opt-in to local credentials configuration, you'll need to create a credentials.json file at the root of your project, and it should look something like this:
{ "android": { "keystore": { "keystorePath": "android/keystores/release.keystore", "keystorePassword": "paofohlooZ9e", "keyAlias": "keyalias", "keyPassword": "aew1Geuthoev" } }, "ios": { "provisioningProfilePath": "ios/certs/profile.mobileprovision", "distributionCertificate": { "path": "ios/certs/dist-cert.p12", "password": "iex3shi9Lohl" } } }
记得将 credentials.json 以及你所有的凭证添加到 .gitignore 中,这样你就不会意外地将它们提交到仓库,从而可能泄露你的密钥信息。
安卓凭证
🌐 Android credentials
如果你想构建 Android 应用二进制文件,你需要有一个密钥库。如果你还没有发布密钥库,可以使用以下命令自行生成(将 KEYSTORE_PASSWORD、KEY_PASSWORD、KEY_ALIAS 和 com.expo.your.android.package 替换为你选择的值):
🌐 If you want to build an Android app binary you'll need to have a keystore. If you don't have a release keystore yet, you can generate it on your own using the following command (replace KEYSTORE_PASSWORD, KEY_PASSWORD, KEY_ALIAS and com.expo.your.android.package with the values of your choice):
- keytool \ -genkey -v \ -storetype JKS \ -keyalg RSA \ -keysize 2048 \ -validity 10000 \ -storepass KEYSTORE_PASSWORD \ -keypass KEY_PASSWORD \ -alias KEY_ALIAS \ -keystore release.keystore \ -dname "CN=com.expo.your.android.package,OU=,O=,L=,S=,C=US"一旦你在电脑上获得了 keystore 文件,就应该将其移动到合适的目录。我们建议你将 keystore 保存在 android/keystores 目录下。记得将所有发布用 keystore 添加到 git 忽略列表中! 如果你已经运行了上述 keytool 命令并将 keystore 放在 android/keystores/release.keystore,你可以通过在 .gitignore 中添加以下内容来忽略该文件:
🌐 Once you have the keystore file on your computer, you should move it to the appropriate directory. We recommend you keep your keystores in the android/keystores directory. Remember to git-ignore all your release keystores! If you have run the above keytool command and placed the keystore at android/keystores/release.keystore, you can ignore that file by adding the following line to .gitignore:
android/keystores/release.keystore
创建 credentials.json 并使用以下凭据进行配置:
🌐 Create credentials.json and configure it with the credentials:
{ "android": { "keystore": { "keystorePath": "android/keystores/release.keystore", "keystorePassword": "KEYSTORE_PASSWORD", "keyAlias": "KEY_ALIAS", "keyPassword": "KEY_PASSWORD" } }, "ios": { %%placeholder-start%%... %%placeholder-end%% } }
keystorePath指向计算机上密钥库所在的位置。支持相对路径(相对于项目根目录)和绝对路径。keystorePassword是密钥库密码。如果你已经按照前面的步骤操作,它的值就是KEYSTORE_PASSWORD。keyAlias是密钥别名。如果你已经按照前面的步骤操作,它就是KEY_ALIAS的值。keyPassword是关键密码。如果你已经按照之前的步骤操作,它就是KEY_PASSWORD的值。
iOS 凭证
🌐 iOS credentials
构建 iOS 应用二进制文件还有一些前提条件。你需要一个付费的 Apple 开发者账号,然后你需要为你的应用生成分发证书和配置文件,这可以通过 Apple 开发者门户 完成。
🌐 There are a few more prerequisites for building the iOS app binary. You need a paid Apple Developer Account, and then you'll need to generate the Distribution Certificate and Provisioning Profile for your application, which can be done via the Apple Developer Portal.
一旦你在电脑上拥有了分发证书和配置描述文件,你应该将它们移到相应的目录。我们建议将它们保存在 ios/certs 目录中。在本文档的其余部分,我们假设它们分别命名为 dist.p12 和 profile.mobileprovision。
🌐 Once you have the Distribution Certificate and Provisioning Profile on your computer, you should move them to the appropriate directory. We recommend you keep them in the ios/certs directory. In the rest of this document we assume that they are named dist.p12 and profile.mobileprovision respectively.
记得将包含凭证的目录添加到 .gitignore 中,这样你就不会不小心将它们提交到仓库,从而可能泄露你的秘密信息。
如果你已将凭证放在建议的目录中,你可以通过在 .gitignore 中添加以下行来忽略这些文件:
🌐 If you have placed the credentials in the suggested directory, you can ignore those files by adding the following line to .gitignore:
ios/certs/*
创建(或编辑)credentials.json 并使用以下凭据进行配置:
🌐 Create (or edit) credentials.json and configure it with the credentials:
{ "android": { %%placeholder-start%%... %%placeholder-end%% }, "ios": { "provisioningProfilePath": "ios/certs/profile.mobileprovision", "distributionCertificate": { "path": "ios/certs/dist.p12", "password": "DISTRIBUTION_CERTIFICATE_PASSWORD" } } }
provisioningProfilePath指向你的电脑上配置描述文件所在的位置。支持相对路径(相对于项目根目录)和绝对路径。distributionCertificate.path指向你电脑上分发证书所在的位置。支持相对路径(相对于项目根目录)和绝对路径。distributionCertificate.password是位于distributionCertificate.path的分发证书的密码。
多目标项目
🌐 Multi-target project
如果你的 iOS 应用使用了像分享扩展、Widget 扩展等 应用扩展,你需要为 Xcode 项目的每个目标提供凭证。这是必要的,因为每个扩展都有一个独立的打包标识符。
🌐 If your iOS app is using App Extensions like Share Extension, Widget Extension, and so on, you need to provide credentials for every target of the Xcode project. This is necessary because each extension is identified by an individual bundle identifier.
假设你的项目包含一个主应用目标(命名为 multitarget)和一个分享扩展目标(命名为 shareextension)。
🌐 Let's say that your project consists of a main application target (named multitarget) and a Share Extension target (named shareextension).
在这种情况下,你的 credentials.json 应该如下所示:
🌐 In this case, your credentials.json should look like below:
{ "ios": { "multitarget": { "provisioningProfilePath": "ios/certs/multitarget-profile.mobileprovision", "distributionCertificate": { "path": "ios/certs/dist.p12", "password": "DISTRIBUTION_CERTIFICATE_PASSWORD" } }, "shareextension": { "provisioningProfilePath": "ios/certs/shareextension-profile.mobileprovision", "distributionCertificate": { "path": "ios/certs/another-dist.p12", "password": "ANOTHER_DISTRIBUTION_CERTIFICATE_PASSWORD" } } } }
设置凭证源
🌐 Setting a credentials source
你可以通过在构建配置文件中指定 "credentialsSource": "local" 或 "credentialsSource:" "remote" 来告诉 EAS Build 应该如何处理凭据。
🌐 You can tell EAS Build how it should resolve credentials by specifying "credentialsSource": "local" or "credentialsSource:" "remote" on a build profile.
- 如果提供
"local",将使用 credentials.json。 - 如果提供了
"remote",则凭据将从 EAS 服务器获取。
例如,你可能希望在部署到 Amazon Appstore 时使用本地凭据,在部署到 Google Play 商店时使用远程凭据:
🌐 For example, maybe you want to use local credentials when deploying to the Amazon Appstore and remote credentials when deploying to the Google Play Store:
{ "build": { "amazon-production": { "credentialsSource": "local", "android": { // ... } }, "google-production": { "credentialsSource": "remote", "android": { // ... } } } }
如果你不设置任何选项,"credentialsSource" 将默认为 "remote"。
🌐 If you do not set any option, "credentialsSource" will default to "remote".
在 CI 触发的构建上使用本地凭据
🌐 Using local credentials on builds triggered from CI
在开始设置 CI 任务之前,请确保已按照上述说明配置好 credentials.json 和 eas.json 文件 如上所述。
🌐 Before you start setting up your CI job, make sure you have your credentials.json and eas.json files configured as described above.
开发者通常通过使用环境变量向 CI 作业提供密钥信息。这种方法的一个挑战是 credentials.json 文件包含一个 JSON 对象,正确转义它可能比较困难,因此你可以将其分配给一个环境变量。解决这个问题的一种可能方法是将文件转换为 base64 编码的字符串,将环境变量设置为该值,然后在 CI 中解码并恢复文件。
🌐 Developers tend to provide CI jobs with secrets by using environment variables. One of the challenges with this approach is that the credentials.json file contains a JSON object and it might be difficult to escape it properly, so you could assign it to an environment variable. One possible solution to this problem is to convert the file to a base64-encoded string, set an environment variable to that value, and later decode it and restore the file on the CI.
考虑以下步骤:
🌐 Consider the following steps:
- 在控制台中运行以下命令,根据你的凭证文件生成 Base64 字符串:
Terminal
-base64 credentials.json - 在你的 CI 上,使用上述命令的输出设置
CREDENTIALS_JSON_BASE64环境变量。 - 在 CI 任务中,使用一个简单的 shell 命令恢复文件:
Terminal
-echo $CREDENTIALS_JSON_BASE64 | base64 -d > credentials.json
同样,你可以对你的密钥库、配置文件和分发证书进行编码,以便稍后在 CI 上恢复它们。要使用 CI 上的本地凭据成功触发构建,你必须确保所有凭据都存在于 CI 实例的文件系统中(位置与 credentials.json 中定义的位置相同)。
🌐 Similarly, you can encode your keystore, provisioning profile and distribution certificate so you can restore them later on the CI. To successfully trigger your build using local credentials from CI, you'll have to make sure all the credentials exist in the CI instance's file system (at the same locations as defined in credentials.json).
一旦恢复步骤就位,你可以使用从 CI 触发构建指南中描述的相同流程来触发构建。
🌐 Once the restoring steps are in place, you can use the same process described in the Triggering builds from CI guide to trigger the builds.