Security Considerations: Storing Private App Signing Key as Secret on Github

I am trying to implement CI on Github for my apps using Github Actions.

I just finished automated testing and now am thinking about going all the way and automatically packaging, signing and uploading an app after I create a release on Github.

The “problem” is that I would have to store my private app signing key as a secret on Github. I trust Github to have good security, especially for Secrets but i am still hesitant to upload it there.

On the one hand it could simplify releases a lot and it’s “kinda cool”. On the other hand in a worst case scenario where the key is compromised a malicious attacker could publish malicious code using these (admittedly not that important) apps.

A private key is also different than an API key in so far that while the API key can be changed/deactivated quickly or only offers access to a staging environment, a private key gives you the means of injecting your code into other Nexcloud instances. I might not even realize it was compromised and malicious versions have been updated until a few weeks after.

What do you think, “fellow app developers”?

P.S. Maybe Nextcloud and other apps have been doing this for a long time. If so, I would like to know. Haven’t researched it yet.

1 Like

I strongly recommend to not do this and instead release manually.
I will also continue to do this for all my apps.