Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56909

Allow to unlock/lock keychain on demand

    Details

    • Similar Issues:
    • Released As:
      xcode-plugin-2.0.12

      Description

      I want to allow developers to use customs scripts (mostly ruby scripts) to build these IOS apps.

      But actually it's a problem with the keychain unlocking.

      For this reason, I would like to develop specific Builder and Step only to unlock/lock keychain.

      Like this the actions unlock keychain "keychainName" and lock keychain "keychainName" can be call on demand.

       

        Attachments

          Activity

          Hide
          kazuhidet Kazuhide Takahashi added a comment - - edited

          Mathieu Delrocq

          This is one of my proposal for a solution.
          I've always thought that the information about the Xcode Plugin's keychain should be in "Creditals" instead of "Configure System".
          By setting the keychain information in "Credencials" and making them compatible with "Credentials Binding Plugin", it becomes easier to manipulate the keychain even in your own script as follows: .

          JENKINS-57333

          Show
          kazuhidet Kazuhide Takahashi added a comment - - edited Mathieu Delrocq This is one of my proposal for a solution. I've always thought that the information about the Xcode Plugin's keychain should be in "Creditals" instead of "Configure System". By setting the keychain information in "Credencials" and making them compatible with "Credentials Binding Plugin", it becomes easier to manipulate the keychain even in your own script as follows: . JENKINS-57333
          Hide
          matttt Mathieu Delrocq added a comment -

          Kazuhide Takahashi,

          I'm afraid that making keychains a credential will allow to access to the password using withcredential(...) command. We don't want to make it visible for jenkins users.

          And it will be a problem for the backward compatibility with the actual configuration of the plugin.

          Show
          matttt Mathieu Delrocq added a comment - Kazuhide Takahashi , I'm afraid that making keychains a credential will allow to access to the password using withcredential(...) command. We don't want to make it visible for jenkins users. And it will be a problem for the backward compatibility with the actual configuration of the plugin.
          Hide
          kazuhidet Kazuhide Takahashi added a comment -

          Mathieu Delrocq
          This is another proposal.
          Separated the steps to unlock the keychain as per your suggestion.
          And fixed the problem that the keychain password is saved in plain text.
          https://github.com/jenkinsci/xcode-plugin/pull/102

          Show
          kazuhidet Kazuhide Takahashi added a comment - Mathieu Delrocq This is another proposal. Separated the steps to unlock the keychain as per your suggestion. And fixed the problem that the keychain password is saved in plain text. https://github.com/jenkinsci/xcode-plugin/pull/102
          Hide
          kazuhidet Kazuhide Takahashi added a comment -

          Jenkins official document "Writing Pipeline-Compatible Plugins" say "Instead you should integrate with the Credentials plugin."
          https://jenkins.io/doc/developer/plugin-development/pipeline-integration/

          I think this mean Information about authentication had better do it handled through "credential plugin" rather than stored by plugin itself.

          What do you think about this?
           

          Show
          kazuhidet Kazuhide Takahashi added a comment - Jenkins official document "Writing Pipeline-Compatible Plugins" say "Instead you should integrate with the Credentials plugin." https://jenkins.io/doc/developer/plugin-development/pipeline-integration/ I think this mean Information about authentication had better do it handled through "credential plugin" rather than stored by plugin itself. What do you think about this?  
          Hide
          matttt Mathieu Delrocq added a comment - - edited

          I think it is a good approach to use credential. But I would like to know if it's compatible with keychain format and if the password will be accessible using withCredential() function in a pipeline. If we use credentials for Keychain, we must consider it will be accessible outside of the plugin.

          And as you stated in JENKINS-57333, this will cause compatibility problems with current versions of the plugin.

          However, I don’t have enough knowledge on the possibilities of the plugin and maybe it is better to have advices of others Jenkins developers?

          Show
          matttt Mathieu Delrocq added a comment - - edited I think it is a good approach to use credential. But I would like to know if it's compatible with keychain format and if the password will be accessible using withCredential() function in a pipeline. If we use credentials for Keychain, we must consider it will be accessible outside of the plugin. And as you stated in JENKINS-57333 , this will cause compatibility problems with current versions of the plugin. However, I don’t have enough knowledge on the possibilities of the plugin and maybe it is better to have advices of others Jenkins developers?
          Hide
          matttt Mathieu Delrocq added a comment -

          Kazuhide Takahashi,

          After analysis, I think it is better to use credentials plugin for the keychain as you suggested. Is there a solution to make this update compatible with actual version of the plugin ?

           

          Show
          matttt Mathieu Delrocq added a comment - Kazuhide Takahashi , After analysis, I think it is better to use credentials plugin for the keychain as you suggested. Is there a solution to make this update compatible with actual version of the plugin ?  
          Hide
          kazuhidet Kazuhide Takahashi added a comment - - edited

          Unfortunately, I didn't find a good way to copy the keychain information currently defined in "Configure System" to "Creditalls".
          Therefore compatibility is only kept with regard to unlocking the keychain using old (legacy) information.
          Finally, you need to manually delete the keychain information defined in "Configure System" and migrate to "Creditals".

          The existing job will work as it is if you don't touch it, but when you create a new job or an edit existing job, you need to use the newly defined "Creditals" information.

          Show
          kazuhidet Kazuhide Takahashi added a comment - - edited Unfortunately, I didn't find a good way to copy the keychain information currently defined in "Configure System" to "Creditalls". Therefore compatibility is only kept with regard to unlocking the keychain using old (legacy) information. Finally, you need to manually delete the keychain information defined in "Configure System" and migrate to "Creditals". The existing job will work as it is if you don't touch it, but when you create a new job or an edit existing job, you need to use the newly defined "Creditals" information.
          Hide
          matttt Mathieu Delrocq added a comment -

          After tests, the functionnality is working correctly.

          Show
          matttt Mathieu Delrocq added a comment - After tests, the functionnality is working correctly.

            People

            • Assignee:
              kazuhidet Kazuhide Takahashi
              Reporter:
              matttt Mathieu Delrocq
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: