Specifically, how are things like keystores handled, or other items needed to build or run an app?
In my case, I have a Chrome OS app that requires a keystore to build and publish to the Chrome Web Store.
I have several ideas, but I really want to know how others are actually handling this type of situation.
Please remember the following important rule:
This rule is not specific to open source. It is a good rule of thumb for all source code.
Maybe you are wondering: where should you store secret keys, passwords, etc.? The answer: Store them in a separate configuration file, not in the source code. Don't include them in the source code repository / version control system.
A similar question was asked in https://stackoverflow.com/questions/1635963/open-source-and-how-it-works-for-secure-projects
As this is really an integration/deployment issue, you might consider using a lookup function for sensitive data.
By using keywords to identify your data and keeping separate tables in development, staging and production, you can still run tests against this part of the code, while protecting the sensitive detail.
Examples: Java getProperty() or Puppet extlookup()
Update: See also this Encrypted Yaml Hiera extension. Hiera is the (now standard) successor for extlookup() in Puppet.
You will still require a place where these keys can be decrypted without an operator present, so the Puppet master will need to know those keys. Because eyaml uses asymmetric encryption there is no need for sharing keys. You do need proper controls in place for access to the Puppet master, but that's nothing new.
