(adding the security team) On Tue, Aug 11, 2015 at 6:54 PM, Stephen Niedzielski < [email protected]> wrote:
> Hello all! I have one question: what is the recommend way to keep files, > such as a Java keystore, safe on a WMF Jenkins machine? > > The Android team is trying to automate as much as possible, especially > when it comes to releasing software. Our reasons aren't novel: manual > releases are time consuming, we worry about unintentionally shipping bad > bits, and we don't like doing it. One thing that's been blocking this > effort is a security concern over exposing confidential information, such > as signing certificates, login credentials, certain lists of strings, etc, > on a Jenkins server. > > It might be helpful to describe some of our concrete use cases. I know > them currently as: > > 1 Sign public jars with a private GnuPG key. > 2 Upload public jars to OSSRH with private credentials (currently stored > in a Gradle properties file but could be supplied on the command line). > 3 Sign public Android apps with a private Java keystore. > > Our future use cases are likely to include: > > 4 Supply a private list of strings to generate private Android apps. > 5 Upload private and public Android apps to Google Drive (via gdrive[0], > requires a private app token). > 6 Upload public Android apps to the Google Play Developer Console (TBD, > likely requires a private app token). > 7 Upload public Android apps to the Amazon Appstore Developer > Portal (TBD, likely requires a private app token). > 8 Upload public Android apps to Caesium (via SCP). > 9 Update public release notes to a public MediaWiki installation. > 10 Publish public release notes to a mailing list. > > We currently do all of this on our local dev machines and it's a bit > scary. While generating the jars and apps on a build server as unsigned > artifacts would be a big win in itself, there would still be a significant > and error prone amount of signing and publishing we'd also prefer to live > in a controlled, reproducible environment. > > For simple strings, the Jenkins Mask Passwords Plugin[1] seems > promising, and even supported by Jenkins Job Builder[2]. What's not clear > is how to land files like our Java keystore and GnuPG keys on the server > securely. It's also not clear how we can guard our private Android app > artifacts mentioned in #4. > > In summary, we want to automate build and release and we want to keep > our private inputs and outputs secure. Surely other teams in the foundation > must have the same or very similar problems. What is the best reference > implementation? > > Thank you for reading! > > > --stephen > > [0] https://github.com/prasmussen/gdrive > [1] https://wiki.jenkins-ci.org/display/JENKINS/Mask+Passwords+Plugin > [2] > http://docs.openstack.org/infra/jenkins-job-builder/wrappers.html#wrappers.mask-passwords > > -- > You received this message because you are subscribed to the Google Groups > "android" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/wikimedia.org/d/msgid/android/CANMtf2cEOHTPiYtPyvTO3Z0TipO6eHBrE%3Ds6q3HGKaFb0ki8TA%40mail.gmail.com > <https://groups.google.com/a/wikimedia.org/d/msgid/android/CANMtf2cEOHTPiYtPyvTO3Z0TipO6eHBrE%3Ds6q3HGKaFb0ki8TA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . >
_______________________________________________ QA mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/qa
