[JIRA] (JENKINS-56909) Allow to unlock/lock keychain on demand

Issue Type:	New Feature
Assignee:	Mathieu DELROCQ
Components:	xcode-plugin
Created:	2019-04-05 11:57
Priority:	Minor
Reporter:	Mathieu DELROCQ

In our company, we want to allow developers to use customs scripts (mostly ruby scripts) to build these IOS apps.

But actually it's a problem with the keychain unlocking.

For this reason, we would like to develop specific Builder and Step only to unlock/lock keychain.

Like this the actions unlock keychain "keychainName" and lock keychain "keychainName" can be call on demand.

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

mathieu-externe.delrocq@edf.fr (JIRA)

unread,

Apr 5, 2019, 10:14:03 AM4/5/19

to jenkinsc...@googlegroups.com

Mathieu DELROCQ assigned an issue to Unassigned

Jenkins /

Change By:	Mathieu DELROCQ
Assignee:	Mathieu DELROCQ

mathieu-externe.delrocq@edf.fr (JIRA)

unread,

Apr 8, 2019, 8:18:02 AM4/8/19

to jenkinsc...@googlegroups.com

Mathieu DELROCQ updated an issue

Jenkins /

Change By:	Mathieu DELROCQ

In our company, we I want to allow developers to use customs scripts (mostly ruby scripts) to build these IOS apps.

But actually it's a problem with the keychain unlocking.

For this reason, we I would like to develop specific Builder and Step only to unlock/lock keychain.

Like this the actions unlock keychain "keychainName" and lock keychain "keychainName" can be call on demand.

mathieu-externe.delrocq@edf.fr (JIRA)

unread,

Apr 8, 2019, 8:28:01 AM4/8/19

to jenkinsc...@googlegroups.com

Mathieu DELROCQ started work on

Change By:	Mathieu DELROCQ
Status:	Open In Progress

mathieu-externe.delrocq@edf.fr (JIRA)

unread,

Apr 8, 2019, 8:28:02 AM4/8/19

to jenkinsc...@googlegroups.com

Mathieu DELROCQ stopped work on

Change By:	Mathieu DELROCQ
Status:	In Progress Open

kazuhide.t@linux-powered.com (JIRA)

unread,

May 5, 2019, 10:41:02 PM5/5/19

to jenkinsc...@googlegroups.com

Kazuhide Takahashi commented on

Mathieu Delrocq

This is one of my proposal for a solution.
I've always thought that the information about the Xcode Plugin's keychain should be in "Creditals" instead of "Configure System".
By setting the keychain information in "Credencials" and making them compatible with "Credentials Binding Plugin", it becomes easier to manipulate the keychain even in your own script as follows: .

link title

kazuhide.t@linux-powered.com (JIRA)

unread,

May 5, 2019, 10:42:02 PM5/5/19

to jenkinsc...@googlegroups.com

Kazuhide Takahashi edited a comment on

[~matttt]

This is one of my proposal for a solution.
I've always thought that the information about the Xcode Plugin's keychain should be in "Creditals" instead of "Configure System".
By setting the keychain information in "Credencials" and making them compatible with "Credentials Binding Plugin", it becomes easier to manipulate the keychain even in your own script as follows: .

[ link title JENKINS-57333 |https://issues.jenkins-ci.org/browse/JENKINS-57333]

delrocq.mathieu@gmail.com (JIRA)

unread,

May 9, 2019, 12:46:02 PM5/9/19

to jenkinsc...@googlegroups.com

Mathieu Delrocq commented on

Kazuhide Takahashi,

I'm afraid that making keychains a credential will allow to access to the password using withcredential(...) command. We don't want to make it visible for jenkins users.

And it will be a problem for the backward compatibility with the actual configuration of the plugin.

kazuhide.t@linux-powered.com (JIRA)

unread,

May 10, 2019, 6:16:03 AM5/10/19

to jenkinsc...@googlegroups.com

Kazuhide Takahashi commented on

Mathieu Delrocq
This is another proposal.
Separated the steps to unlock the keychain as per your suggestion.
And fixed the problem that the keychain password is saved in plain text.
https://github.com/jenkinsci/xcode-plugin/pull/102

kazuhide.t@linux-powered.com (JIRA)

unread,

May 10, 2019, 7:52:03 AM5/10/19

to jenkinsc...@googlegroups.com

Kazuhide Takahashi assigned an issue to Kazuhide Takahashi

Jenkins /

Change By:	Kazuhide Takahashi
Assignee:	Kazuhide Takahashi

kazuhide.t@linux-powered.com (JIRA)

unread,

May 13, 2019, 6:02:01 AM5/13/19

to jenkinsc...@googlegroups.com

Kazuhide Takahashi commented on

Jenkins official document "Writing Pipeline-Compatible Plugins" say "Instead you should integrate with the Credentials plugin."
https://jenkins.io/doc/developer/plugin-development/pipeline-integration/

I think this mean Information about authentication had better do it handled through "credential plugin" rather than stored by plugin itself.

What do you think about this?

delrocq.mathieu@gmail.com (JIRA)

unread,

May 13, 2019, 8:34:03 AM5/13/19

to jenkinsc...@googlegroups.com

Mathieu Delrocq edited a comment on

I think it is a good approach to use credential. But I would like to know if it's compatible with keychain format and if the password will be accessible using withCredential() function in a pipeline. If we use credentials for Keychain, we must consider it will be accessible outside of the plugin.

And as you stated in JENKINS-57333, this will cause compatibility problems with current versions of the plugin.

However, I don’t have enough visibility on all functionnalities of the plugin and maybe it is better to have advices of others Jenkins developpers developers ?

delrocq.mathieu@gmail.com (JIRA)

unread,

May 13, 2019, 8:34:03 AM5/13/19

to jenkinsc...@googlegroups.com

Mathieu Delrocq commented on

I think it is a good approach to use credential. But I would like to know if it's compatible with keychain format and if the password will be accessible using withCredential() function in a pipeline. If we use credentials for Keychain, we must consider it will be accessible outside of the plugin.

And as you stated in JENKINS-57333, this will cause compatibility problems with current versions of the plugin.

However, I don’t have enough visibility on all functionnalities of the plugin and maybe it is better to have advices of others Jenkins developpers?

delrocq.mathieu@gmail.com (JIRA)

unread,

May 13, 2019, 8:41:02 AM5/13/19

to jenkinsc...@googlegroups.com

Mathieu Delrocq edited a comment on

I think it is a good approach to use credential. But I would like to know if it's compatible with keychain format and if the password will be accessible using withCredential() function in a pipeline. If we use credentials for Keychain, we must consider it will be accessible outside of the plugin.

And as you stated in JENKINS-57333, this will cause compatibility problems with current versions of the plugin.

However, I don’t have enough visibility knowledge on all functionnalities the possibilities of the plugin and maybe it is better to have advices of others Jenkins developers?

delrocq.mathieu@gmail.com (JIRA)

unread,

May 14, 2019, 6:14:02 AM5/14/19

to jenkinsc...@googlegroups.com

Mathieu Delrocq commented on

Kazuhide Takahashi,

After analysis, I think it is better to use credentials plugin for the keychain as you suggested. Is there a solution to make this update compatible with actual version of the plugin ?

kazuhide.t@linux-powered.com (JIRA)

unread,

May 14, 2019, 7:21:02 AM5/14/19

to jenkinsc...@googlegroups.com

Kazuhide Takahashi commented on

Unfortunately, I didn't find a good way to copy the keychain information currently defined in "Configure System" to "Creditalls".
Therefore compatibility is only kept with regard to unlocking the keychain using old (legacy) information.
Finally, you need to manually delete the keychain information defined in "Configure System" and migrate to "Creditals".

kazuhide.t@linux-powered.com (JIRA)

unread,

May 14, 2019, 7:29:02 AM5/14/19

to jenkinsc...@googlegroups.com

Kazuhide Takahashi edited a comment on