Jenkins does have a way of storing credentials. However, I don’t know if there is a way to limit which jobs can use the credentials.
Ralph > On Jun 13, 2018, at 6:48 AM, Stefan Bodewig <bode...@apache.org> wrote: > > On 2018-06-13, Dominik Psenner wrote: > >> As far as I can tell, the secrets stored in jenkins.a.o are >> trustworthy. For instance I used a github access token generated from >> my github account that grants jenkins access to the log4net-logging >> repository on github. I am convinced that nobody else can steal that >> token without logging in to jenkins using my credentials. Stefan, >> would you please elaborate the reasonings of why you do not trust pgp >> signatures issued by builds.a.o? > > Maybe just because I'm paranoid. How would you store the private part of > a PGP key in Jenkins in a way that cannot be compromised by people who > log in to Jenkins or a malicious Jenkins addon that gets installed? > > Stefan >
