Hi Alix, For what it's worth, here is how the ImageJ project does it for Travis CI builds:
https://github.com/imagej/imagej/blob/2bfd8a23a5ff427fabe12ea3f7114604e8485a75/.travis.yml https://github.com/imagej/imagej/blob/2bfd8a23a5ff427fabe12ea3f7114604e8485a75/.travis/build.sh https://github.com/imagej/imagej/blob/2bfd8a23a5ff427fabe12ea3f7114604e8485a75/.travis/settings.xml To summarize the key points: * The build invokes mvn with "--settings .travis/settings.xml", which is a settings.xml committed to SCM * This settings.xml uses "${env.MAVEN_PASS}" for the password. * This MAVEN_PASS environment variable is stored encrypted in the .travis.yml file; see: https://docs.travis-ci.com/user/environment-variables/ In our case, we are fine hardcoding the Maven deploy user as "travis", but of course you could also make that configurable with MAVEN_USER variable or similar. For manual deployment, developers use their own ~/.m2/settings.xml with their own credentials—i.e., for us, the .travis/settings.xml is _only_ for Travis builds. HTH, Curtis -- Curtis Rueden LOCI software architect - https://loci.wisc.edu/software ImageJ2 lead, Fiji maintainer - https://imagej.net/User:Rueden On Fri, Mar 17, 2017 at 8:38 AM, Alix Lourme <[email protected]> wrote: > Dear community, > > I'm searching the best practice for password encryption in a maven POM > file *by > project*, could by used by properties (like in ANT or WAGON). Sample : > --- > <plugin> > <artifactId>maven-antrun-plugin</artifactId> > <version>1.8</version> > <configuration> > <target> > <echo message="Get docker certificates" /> > <mkdir dir="cert" /> > <scp file="root:${docker.password}@ > 10.xx.xx.xx:/root/.docker/*" > todir="cert" trust="yes" /> > </target> > </configuration> > </plugin> > --- > > In this case, my *docker.password* could be a properties (pom or > settings.xml) but must not be in clear text. > > The problem with Maven encryption > <https://maven.apache.org/guides/mini/guide-encryption.html>: > - I have a master password defined in *settings-security.xml* (locally) for > my user need (like proxy password encryption in MY *settings.xml*) > - The CI tools contains the same mechanism (own *settings-security.xml*) > for global needs, like server encryption used in *settings.xml* for jar > publication in repository ; and I can't retrieve this file > > => I can't use this mechanism for password encryption who works locally and > on the CI server. > > *Is there a way to have a encryption mechanism for the project's perimeter > ?* (and not for user's perimeter, current Maven encryption works perfectly > for that). > > --- > > Using -s and -gs Maven options (=> user/global settings override) could be > a workaround but : > - Server item definition or properties defining password must be in clear > text > - Using this Maven settings for each build depending the project workspace > is a little boring > > Perhaps is there a best way like a "private key by project" ... but I > didn't found entry point about that. > > Thanks in advance. Best regards > *NB*: This question was firstly on stackoverflow > <https://stackoverflow.com/questions/33784790/maven- > password-encryption-by-project>, > but no really interest ^^. > -- > Alix Lourme >
