Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56909

Allow to unlock/lock keychain on demand

    XMLWordPrintable

Details

    • xcode-plugin-2.0.12

    Description

      I want to allow developers to use customs scripts (mostly ruby scripts) to build these IOS apps.

      But actually it's a problem with the keychain unlocking.

      For this reason, I would like to develop specific Builder and Step only to unlock/lock keychain.

      Like this the actions unlock keychain "keychainName" and lock keychain "keychainName" can be call on demand.

       

      Attachments

        Activity

          After tests, the functionnality is working correctly.

          matttt Mathieu Delrocq added a comment - After tests, the functionnality is working correctly.
          kazuhidet Kazuhide Takahashi added a comment - - edited

          Unfortunately, I didn't find a good way to copy the keychain information currently defined in "Configure System" to "Creditalls".
          Therefore compatibility is only kept with regard to unlocking the keychain using old (legacy) information.
          Finally, you need to manually delete the keychain information defined in "Configure System" and migrate to "Creditals".

          The existing job will work as it is if you don't touch it, but when you create a new job or an edit existing job, you need to use the newly defined "Creditals" information.

          kazuhidet Kazuhide Takahashi added a comment - - edited Unfortunately, I didn't find a good way to copy the keychain information currently defined in "Configure System" to "Creditalls". Therefore compatibility is only kept with regard to unlocking the keychain using old (legacy) information. Finally, you need to manually delete the keychain information defined in "Configure System" and migrate to "Creditals". The existing job will work as it is if you don't touch it, but when you create a new job or an edit existing job, you need to use the newly defined "Creditals" information.

          kazuhidet,

          After analysis, I think it is better to use credentials plugin for the keychain as you suggested. Is there a solution to make this update compatible with actual version of the plugin ?

           

          matttt Mathieu Delrocq added a comment - kazuhidet , After analysis, I think it is better to use credentials plugin for the keychain as you suggested. Is there a solution to make this update compatible with actual version of the plugin ?  
          matttt Mathieu Delrocq added a comment - - edited

          I think it is a good approach to use credential. But I would like to know if it's compatible with keychain format and if the password will be accessible using withCredential() function in a pipeline. If we use credentials for Keychain, we must consider it will be accessible outside of the plugin.

          And as you stated in JENKINS-57333, this will cause compatibility problems with current versions of the plugin.

          However, I don’t have enough knowledge on the possibilities of the plugin and maybe it is better to have advices of others Jenkins developers?

          matttt Mathieu Delrocq added a comment - - edited I think it is a good approach to use credential. But I would like to know if it's compatible with keychain format and if the password will be accessible using withCredential() function in a pipeline. If we use credentials for Keychain, we must consider it will be accessible outside of the plugin. And as you stated in JENKINS-57333 , this will cause compatibility problems with current versions of the plugin. However, I don’t have enough knowledge on the possibilities of the plugin and maybe it is better to have advices of others Jenkins developers?

          Jenkins official document "Writing Pipeline-Compatible Plugins" say "Instead you should integrate with the Credentials plugin."
          https://jenkins.io/doc/developer/plugin-development/pipeline-integration/

          I think this mean Information about authentication had better do it handled through "credential plugin" rather than stored by plugin itself.

          What do you think about this?
           

          kazuhidet Kazuhide Takahashi added a comment - Jenkins official document "Writing Pipeline-Compatible Plugins" say "Instead you should integrate with the Credentials plugin." https://jenkins.io/doc/developer/plugin-development/pipeline-integration/ I think this mean Information about authentication had better do it handled through "credential plugin" rather than stored by plugin itself. What do you think about this?  

          matttt
          This is another proposal.
          Separated the steps to unlock the keychain as per your suggestion.
          And fixed the problem that the keychain password is saved in plain text.
          https://github.com/jenkinsci/xcode-plugin/pull/102

          kazuhidet Kazuhide Takahashi added a comment - matttt This is another proposal. Separated the steps to unlock the keychain as per your suggestion. And fixed the problem that the keychain password is saved in plain text. https://github.com/jenkinsci/xcode-plugin/pull/102

          kazuhidet,

          I'm afraid that making keychains a credential will allow to access to the password using withcredential(...) command. We don't want to make it visible for jenkins users.

          And it will be a problem for the backward compatibility with the actual configuration of the plugin.

          matttt Mathieu Delrocq added a comment - kazuhidet , I'm afraid that making keychains a credential will allow to access to the password using withcredential(...) command. We don't want to make it visible for jenkins users. And it will be a problem for the backward compatibility with the actual configuration of the plugin.
          kazuhidet Kazuhide Takahashi added a comment - - edited

          matttt

          This is one of my proposal for a solution.
          I've always thought that the information about the Xcode Plugin's keychain should be in "Creditals" instead of "Configure System".
          By setting the keychain information in "Credencials" and making them compatible with "Credentials Binding Plugin", it becomes easier to manipulate the keychain even in your own script as follows: .

          JENKINS-57333

          kazuhidet Kazuhide Takahashi added a comment - - edited matttt This is one of my proposal for a solution. I've always thought that the information about the Xcode Plugin's keychain should be in "Creditals" instead of "Configure System". By setting the keychain information in "Credencials" and making them compatible with "Credentials Binding Plugin", it becomes easier to manipulate the keychain even in your own script as follows: . JENKINS-57333

          People

            kazuhidet Kazuhide Takahashi
            matttt Mathieu Delrocq
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: