[QA] Keeping secrets safe on Jenkins

Stephen Niedzielski sniedzielski at wikimedia.org
Tue Aug 11 22:54:58 UTC 2015 

  Hello all! I have one question: what is the recommend way to keep files,
such as a Java keystore, safe on a WMF Jenkins machine?

  The Android team is trying to automate as much as possible, especially
when it comes to releasing software. Our reasons aren't novel: manual
releases are time consuming, we worry about unintentionally shipping bad
bits, and we don't like doing it. One thing that's been blocking this
effort is a security concern over exposing confidential information, such
as signing certificates, login credentials, certain lists of strings, etc,
on a Jenkins server.

  It might be helpful to describe some of our concrete use cases. I know
them currently as:

  1 Sign public jars with a private GnuPG key.
  2 Upload public jars to OSSRH with private credentials (currently stored
in a Gradle properties file but could be supplied on the command line).
  3 Sign public Android apps with a private Java keystore.

  Our future use cases are likely to include:

  4 Supply a private list of strings to generate private Android apps.
  5 Upload private and public Android apps to Google Drive (via gdrive[0],
requires a private app token).
  6 Upload public Android apps to the Google Play Developer Console (TBD,
likely requires a private app token).
  7 Upload public Android apps to the Amazon Appstore Developer
Portal (TBD, likely requires a private app token).
  8 Upload public Android apps to Caesium (via SCP).
  9 Update public release notes to a public MediaWiki installation.
  10 Publish public release notes to a mailing list.

  We currently do all of this on our local dev machines and it's a bit
scary. While generating the jars and apps on a build server as unsigned
artifacts would be a big win in itself, there would still be a significant
and error prone amount of signing and publishing we'd also prefer to live
in a controlled, reproducible environment.

  For simple strings, the Jenkins Mask Passwords Plugin[1] seems promising,
and even supported by Jenkins Job Builder[2]. What's not clear is how to
land files like our Java keystore and GnuPG keys on the server securely.
It's also not clear how we can guard our private Android app artifacts
mentioned in #4.

  In summary, we want to automate build and release and we want to keep our
private inputs and outputs secure. Surely other teams in the foundation
must have the same or very similar problems. What is the best reference
implementation?

  Thank you for reading!


--stephen

[0] https://github.com/prasmussen/gdrive
[1] https://wiki.jenkins-ci.org/display/JENKINS/Mask+Passwords+Plugin
[2]
http://docs.openstack.org/infra/jenkins-job-builder/wrappers.html#wrappers.mask-passwords
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/qa/attachments/20150811/a5288ae8/attachment.html>

More information about the QA mailing list