You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 1, 2022. It is now read-only.
Currently, as part of the release procedure, I sign Web Start JARs on my MacBook, using a local keystore file and locally-stored credentials. Then, I test that the signed ToolsUI will launch without security or application errors. Next, I copy the JARs to robin and test Web Start again, this time with remote artifacts. Finally, if all goes well, I delete the old Web Start JARs from the previous version.
That's a LOT of manual steps; we really need to automate. Unfortunately, that's not possible unless we figure out how to handle secrets on Jenkins in a secure way. Where does the keystore go? What about the credentials to unlock it?
But this problem is bigger than just Web Start. In the past, we've received several requests to upload our products to Maven Central. To do that, we need to sign them using an organizational PGP key. How do we store and manage access to that? Do we even have a key?
A couple possibilities:
Jenkins Credentials plugin: Secrets are stored on Jenkins server and then injected into running jobs. Obviously, we must be confident that the Jenkins machine is secure and that our secrets won't be stolen.
AWS KMS: Enterprise-grade, hardened key-value store. The pattern seems to be to store secrets in S3 (encrypted) and their decryption keys in KMS. Secret management is centralized. But how much do we want to trust AWS with that stuff?
Hashicorp Vault: Similar to AWS KMS, but you run it on your own server.
Mike will want to have a say in this, obviously.
The text was updated successfully, but these errors were encountered:
Currently, as part of the release procedure, I sign Web Start JARs on my MacBook, using a local keystore file and locally-stored credentials. Then, I test that the signed ToolsUI will launch without security or application errors. Next, I copy the JARs to robin and test Web Start again, this time with remote artifacts. Finally, if all goes well, I delete the old Web Start JARs from the previous version.
That's a LOT of manual steps; we really need to automate. Unfortunately, that's not possible unless we figure out how to handle secrets on Jenkins in a secure way. Where does the keystore go? What about the credentials to unlock it?
But this problem is bigger than just Web Start. In the past, we've received several requests to upload our products to Maven Central. To do that, we need to sign them using an organizational PGP key. How do we store and manage access to that? Do we even have a key?
A couple possibilities:
Mike will want to have a say in this, obviously.
The text was updated successfully, but these errors were encountered: