Good location for Android Keystore?

Are there any guidelines for what the location of the Android keystore "should" be? I'm ready to release my first app and in Export Android Application I'm creating a new keystore it wants me to specify the location.

FWIW my Eclipse Workspace is on a shared network drive and I access it from any of 3 different development systems. I've had no problems doing this. The default location that came up for the keystore location seemed to be in the SDK directory tree, but that won't work for me because each PC has its own copy of the SDK installed. I need it to be in a location which can be seen from any PC that I might be doing development work from, so I assume that means the network drive or some virtual location in the cloud.

Are there guidelines, rules, restrictions or other things I need to know about the location the keystore?


As long as it's somewhere safe (i.e. backed up remotely in source control or by some other method) it doesn't really matter. If you lose the keystore somehow then you'll no longer be able to update your app on the android market and will be forced to remove it and re-upload it as a new app signed with a new key.

If you're worried about security, remember that both the keystore and individual keys within it can (and should) be password protected.

My keystore is in the root of my android eclipse workspace, which is also the root directory of the git repository I use for version control. Seeing as you are developing on multiple machines and would potentially want to do a release from any one of them, I'd suggest doing the same.


I wish that github had a built-in tool to support storing the occasional private file for a public open source repo. This is important for certificates and keystores that are associated with source code, but shouldn't be publicly viewable.

Ideally, github would have some sort of keystore repo that would act like a mini-private repo. That way, you could put your private keystores in a private repo, and only share them with accounts who should be allowed to manage your Google Play and iTunes Connect accounts.

Until that day, I've taken to storing my keystore files in a free private repo on bitbucket, and then putting a link to the bitbucket repo in my github opensource repo. That way, it won't get lost since anyone who can check out the source can see where the keystore is, but it also isn't publicly available.

Github, if you're listening, I think supporting a very restricted, free, private repo just for keystores would be a great service to the open source mobile app community.


You want to keep your Keystore secure. If someone obtained it you essentially will lose authoring identity.

http://developer.android.com/guide/publishing/app-signing.html (bottom of page)