Best practice for providing secrets, like API keys, to build without saving them to repository?

I am working on a Xamarin solution with iOS and Android projects that reference a common PCL project. The common PCL project has code for making requests to a backend REST service, which requires client authentication to create new accounts. I.e. the client must have a valid API key in order to create new accounts. The entire solution is in a git repository that is open source, so it's not possible to store the API key in a string constant in a class or in any of the checked in solution/project/property files.

Is there a best practice for storing these secrets and making them accessible at build time?

For example, is there a way to store the key in a file, or the keychain on OS X, and then include that value when building and expose it as a constant at runtime?

(I apologize in advance if this is a duplicate, but I couldn't find an equivalent question in my searching.)

Best Answer

Answers

  • BalzsCsernaiBalzsCsernai USMember

    Hi,

    I'm also interested some kind of solution other than ".gitignore"-ing a file, because it's very lame and it's NOT a solution. Writing custom build scripts also NOT a solution. The most depressing in this that I've not found any solution on the internet not even on stackoverflow.

    "... everything was better with Gradle :'( ..."

  • RodrigoJuarez.1796RodrigoJuarez.1796 USMember ✭✭

    Did you find a good way to implement this?

  • JohnHJohnH GBMember ✭✭✭✭✭
    edited April 8

    @RodrigoJuarez.1796 said: @MikeCodesDotNet
    Did you find a good way to implement this?

    I inject such values during private builds defined in Azure DevOps. Then it doesn't matter who can see the source code, your keys/secrets are still private.

  • RodrigoJuarez.1796RodrigoJuarez.1796 USMember ✭✭

    I probably will use app center variables for this and a pre-build script, @MikeCodesDotNet, thanks!

Sign In or Register to comment.