android build release apk on jenkins, without storing my password in plain text

后端 未结 3 759
囚心锁ツ
囚心锁ツ 2021-02-09 13:01

I need to be able to build the release version of my apk, using a Jenkins job.

From reading the following SO question

How to create a release signed apk file u

相关标签:
3条回答
  • 2021-02-09 13:07

    If your Jenkins instance happens to be running on EC2, and you don't want to permanently store secrets in the file system, you can put the store and key passwords into Systems Manager Parameter Store, then query them at build time. In addition, you can put the keystore itself into external storage, such as S3, and only keep it locally for the duration of the build.

    Here is a sample build script (assume that the secret parameters are named android-keystore-pass and android-signature-key-pass):

    set -o errexit
    set -o pipefail
    
    keystore_file=keystore.properties
    keystore=wise.jks
    
    aws s3 cp s3://path-to-android/$keystore .
    
    chmod go-rwx $keystore
    
    touch $keystore_file
    chmod go-rwx $keystore_file
    
    cat > $keystore_file << EOF
    storePassword=`aws ssm get-parameters --names android-keystore-pass --with-decryption | cut -f4`
    keyPassword=`aws ssm get-parameters --names android-signature-key-pass --with-decryption | cut -f4`
    keyAlias=android
    storeFile=$WORKSPACE/$keystore
    EOF
    

    An example of the Gradle build scripts can be found in this answer. You can commit a dummy keystore.properties to source control so that (non-release) builds work on dev machines.

    There are also open-source secret distribution tools that are platform-independent, e.g. Vault, but I haven't tried any of them.

    0 讨论(0)
  • 2021-02-09 13:19

    You can use Mask Password Plugin, which does just that. Or the same functionality is included in EnvInject plugin, and sooner or later all Jenkins projects get a need for EnvInject plugin (that does many other things), so might as well start using it now.

    To securely use a password from within a build/post-build step

    • Install EnvInject plugin.
    • Under Jenkins Global Configuration, find Global Passwords section.
    • Add a name (this will be the environment variable name) and password (will be starred **** ).
    • Under Job Configuration, find Build Environment section.
    • Checkmark Inject passwords to the build as environment variables.
    • Then checkmark Global passwords.

    In any build step, you can now use $name (as defined earlier) to refer to a password as you would if you were typing it in plain text.

    • The password variable is injected only at job execution time (typing $name on command line of the server by itself will not produce anything, and like all Jenkins variables, it is not persistent).
    • The job console log will show **** instead of password, if it appears.
    • You could configure passwords per job, rather than globally, so that other jobs can't use it.

    The only security concern is that if someone has administrative permissions to configure your job, they can write echo $name > secretpassword.txt into a build step, and then review the file in the workspace. But you should be careful who you assign administrative rights to.

    0 讨论(0)
  • 2021-02-09 13:26

    You should take a look for this plugin

    https://wiki.jenkins-ci.org/display/JENKINS/Mask+Passwords+Plugin

    0 讨论(0)
提交回复
热议问题