xcode-plugin and re-locking keychains

36 views

Skip to first unread message

Jerome Lacoste

unread,

Dec 15, 2014, 5:51:41 AM12/15/14

to jenkin...@googlegroups.com, k...@kohsuke.org

Hello,

I am making a pass at the xcode-plugin these days. I am going through the pull requests and issues and trying to put a bit of order in the plugin.

One particular issue is the management of keychains, which can be done in different ways.

Right now we have:

1. global keychains

2. job keychains

3. developerProfile loading (into custom keychains)

I really like the developerProfile one. They fit well in the jenkins credentials mechanism.

One issue with keychains are that they need to be unlocked / relocked. Right now there are several pull requests (https://github.com/jenkinsci/xcode-plugin/pull/47, https://github.com/jenkinsci/xcode-plugin/pull/49) that want to provide a way for the user to specify a lock timeout (or remove it altogether). Which can be problematic if the user specifies a too short timeout.

A better way IMHO would be to relock automatically the keychain once not needed (at least for those we know aren't shared simultaneously by multiple jobs). That really sounds like a BuildWrapper to me.

Koshuke, is this what you had in mind when adding the:

* TODO: destroy identity in the end.

https://github.com/jenkinsci/xcode-plugin/blob/master/src/main/java/au/com/rayh/DeveloperProfileLoader.java#L33

Has anyone tip on how could this be implemented in a nice way ? (I looked a bit at the Lock and Latches plugin).

Another issue is that the global and job keychain mechanisms have several issues:

* they store passwords in plaintext. So that's not good.

* also their they require configuration to be done before hand on all machines. Not practical for slaves setup

* finally I suspect that the granularity of only having global or job keychains make them not very useful in the case of having servers with compartmented teams

And there are probably other problems I don't know of. I am almost in favor of deprecating this mechanism and not supporting them anymore and let people use custom scripts to extend this functionality instead. Any feedback on this idea ?

Thanks,

Jerome

Jerome Lacoste

unread,

Jan 31, 2015, 6:21:06 AM1/31/15

to jenkin...@googlegroups.com, k...@kohsuke.org

Has anyone else some input on the xcode plugin and keychain management ?

Cheers,

Jerome

Reply all

Reply to author

Forward

0 new messages