-
Notifications
You must be signed in to change notification settings - Fork 985
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use Android keystore from Jenkins credentials #10078
Conversation
Pull Request Checklist
|
Jenkins BuildsClick to see older builds (15)
|
Oh lovely, looks like it doesn't work:
Might be related to how Jenkins changes the permissions of the file. |
bee2129
to
5ebc53d
Compare
I tried doing
|
5ebc53d
to
cc434bb
Compare
Whelp. I ran
But that's not a correct checksum. That means Jenkins modifies the contents when creating the file. |
I crated a
And ran this test CI job to verify this: pipeline {
agent { label "linux" }
stages {
stage('Test') {
steps {
withCredentials([
file(
credentialsId: 'test-file.txt',
variable: 'TEST_FILE'
)]
) {
// contains text "TEST"
sh "ls -l ${env.TEST_FILE}"
sh "md5sum ${env.TEST_FILE}"
// expected sum
sh "echo TEST | md5sum"
}
}
}
}
} And the result was correct:
https://ci.status.im/job/tests/job/secret-file-test/1/ So there must have been something wrong with how I uploaded the Keystore file. I guess. |
cc434bb
to
1618d14
Compare
Okay,
So it must be something more than that. |
c7051bd
to
9ff11dd
Compare
It works! Somehow I managed to upload the wrong keystore twice. 3rd time's the charm. |
Does this put extra security scrutiny on |
Not sure what you mean by that. Before the file was directly on the filesystem of 5 Linux CI hosts. Now it's encrypted in the What more do you want? |
You mean as in we lose the host? Or what?
That's a very broad question. Not sure what to tell you. I explained how the credentials store works. You can check how extracting a value from it works here: |
9ff11dd
to
64a214b
Compare
Merging this as a partial fix. We can improve upon it in the future. |
This way we don't have to store it on individual CI hosts. Signed-off-by: Jakub Sokołowski <jakub@status.im>
64a214b
to
cb78293
Compare
To improve security of Keystore I'm moving it to Jenkins credentials store.
This way we won't have to store the Keystore on individual CI hosts, only the
master-01
.