As others have mentioned, you shouldn’t be storing passwords in a POM. I as well don’t have a great corporate solution that works for secrets management for maven.
My solution has been to use Environment Variables - which basically follows the same pattern that AWS, Docker, Vagrant and others utilize. The pattern requires you to define a convention so that your secret is set into a predictable environment variable from which you can then use within your POM, script, etc while the job is running. As far as for local users - generally this can be a one time setup, then from there you don’t need to monkey with credentials ever again until you have to cycle. You shouldn’t need to share any credentials. This works well because unless you echo the environment, secret info isn’t echoed into the logs. And it can be utilized for non-secret information as well. > On Mar 17, 2017, at 6:38 AM, Alix Lourme <[email protected]> wrote: > > I'm searching the best practice for password encryption in a maven POM file > *by > project*, could by used by properties (like in ANT or WAGON). Sample : > --- > <plugin> > <artifactId>maven-antrun-plugin</artifactId> > <version>1.8</version> > <configuration> > <target> > <echo message="Get docker certificates" /> > <mkdir dir="cert" /> > <scp file="root:${docker.password}@10.xx.xx.xx:/root/.docker/*" > todir="cert" trust="yes" /> > </target> > </configuration> > </plugin> > --- > > In this case, my *docker.password* could be a properties (pom or > settings.xml) but must not be in clear text. > Is there a reason you’ve not using an identity file instead for this situation? It would likely work better, and you could pass the identity file as a secret file, from a separate system, repository, or local configuration for running the build. > The problem with Maven encryption > <https://maven.apache.org/guides/mini/guide-encryption.html>: > - I have a master password defined in *settings-security.xml* (locally) for > my user need (like proxy password encryption in MY *settings.xml*) > - The CI tools contains the same mechanism (own *settings-security.xml*) > for global needs, like server encryption used in *settings.xml* for jar > publication in repository ; and I can't retrieve this file > AFAIK maven encryption only applies to <server> elements. Others can chime in, but not sure that this would solve your specific problem anyways. Does your CI solution have some kind of mechanism for retrieving or providing secret information/files? This seems to be the root of your problem. > => I can't use this mechanism for password encryption who works locally and > on the CI server. > > *Is there a way to have a encryption mechanism for the project's perimeter > ?* (and not for user's perimeter, current Maven encryption works perfectly > for that). > Environment variables can solve that, but not sure why you would want project level vs user level credentials. > > Using -s and -gs Maven options (=> user/global settings override) could be > a workaround but : > - Server item definition or properties defining password must be in clear > text > - Using this Maven settings for each build depending the project workspace > is a little boring Why do you want something not boring?… usually means something that should always work doesn’t…. CI systems usually invoke with -s and -gs anyways, so I’m not sure what the big deal is. The way I’ve handled this is defaults use the ~/.m2/settings.xml and the CI utilizes a -s flag with a provided file. > > Perhaps is there a best way like a "private key by project" ... but I > didn't found entry point about that. I’m still not entirely sure what you mean by “per project”. Do you mean “per module”? If you’re having to have multiple credentials for a single project/reactor build, It’s possible that you’re problem is your CI Job is not granular enough. > Thanks in advance. Best regards > *NB*: This question was firstly on stackoverflow > <https://stackoverflow.com/questions/33784790/maven-password-encryption-by-project>, > but no really interest ^^. SO question doesn’t exist - that might be why there’s no interest?
smime.p7s
Description: S/MIME cryptographic signature
