I don’t think that’s possible with vanilla Jenkins. May need to use some
secrets manager on top like Vault. Essentially, anyone with access to
configure jobs can extract stored credentials.

On Wed, Jun 13, 2018 at 09:48, Stefan Bodewig <bode...@apache.org> wrote:

> On 2018-06-13, Dominik Psenner wrote:
>
> > As far as I can tell, the secrets stored in jenkins.a.o are
> > trustworthy. For instance I used a github access token generated from
> > my github account that grants jenkins access to the log4net-logging
> > repository on github. I am convinced that nobody else can steal that
> > token without logging in to jenkins using my credentials. Stefan,
> > would you please elaborate the reasonings of why you do not trust pgp
> > signatures issued by builds.a.o?
>
> Maybe just because I'm paranoid. How would you store the private part of
> a PGP key in Jenkins in a way that cannot be compromised by people who
> log in to Jenkins or a malicious Jenkins addon that gets installed?
>
> Stefan
>
-- 
Matt Sicker <boa...@gmail.com>

Reply via email to