2

Some tutorials recommend donĀ“t save a key in GitHub for security reasons, they to keep the file in .gitignore but for example some Social Networks like Facebook or Linkedin create a key in Info.plist file.

The Info.plist contains many others settings of the app and must be commit.

How can I keep in safe my key and commit the Info.plist normally.

Example of Info.plist (CFBundleURLSchemes and FacebookAppID)

<key>CFBundleURLTypes</key>
    <array>
        <dict>
            <key>CFBundleURLSchemes</key>
            <array>
                <string>fb355414950742780</string>
            </array>
        </dict>
    </array>
<key>FacebookAppID</key>
<string>355414950742780</string>
Haroldo Gondim
  • 7,725
  • 9
  • 43
  • 62

1 Answers1

1

It is too risky to try and never push the Info.plist file.
It is safer to not version it (git rm --cached <File>, and added to the .gitignore)

Then you can use a content filter driver, using using .gitattributes declaration:

Register a smudge script, which will generate the file with sensitive information on git checkout.

enter image description here (image from "Customizing Git - Git Attributes", from "Pro Git book")

That 'smudge' script( that you have to write) would need to:

  • fetch the key (from a source outside the repo, that way no risk to add and push by mistake)
  • generate the Info.plist file, using a tracked template Info.plist.tpl with placeholder value in it to replace.

That means:

  • the template Info.plist.tpl is added to the git repo
  • the generate file Info.plist is declared in the .gitignore file and never versioned (and never pushed).
Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250