My application calls GitHub API so I have to store GitHub token somewhere. I don't want to publish my token to public repository. I decided to store it in environmental variables. Disadvantage of environmental variables is that I have to set it correctly on all machines (localhost, codenvy, jenkins ...)
Is there better solution?
You can easily move it to Properties file and distribute it on all systems you need. If the security is matter for you, consider encryption of actual values for such file.
Hope it helps!
Related
is there a way to give a GitHub token only access to pull the latest release from my private GitHub repository. for updating a electron application. I don't want the token to have access to anything else but the latest release only
No, this is not possible. Tokens are generally scoped much more broadly than that (usually to your entire account), and even for ones that are scoped more narrowly, they'd cover at least all of the releases for the repository, if not the rest of the repository contents as well.
If you're trying to distribute software that's in a private repository, you should use some sort of CDN or cloud bucket for doing that (over HTTPS) and implement a suitable digital signature scheme to prevent rogue updates.
my question starts from this article here. I followed it along, but this passage:
Security Considerations
Since these files will potentially contain secure information, such as
API_KEY, I’d recommend not checking them into version control and
instead using a secure file storage system like 1Password to contain
copies of Development.xcconfig, Staging.xcconfig and
Production.xcconfig.
makes me wonder what writer is talking about. Configs file are needed be in the app to work, I don't think I could put them aside. if someone could help I need to understand
how to handle those files in safety
how should use this config files, should I put them different (id present) endpoint based on environment? could I put there different things such images names, default values for variables etch?
I also wonder how this could be handled, putting them in some 1Password storage.
If you feel unsafe by checking in those files (why would you? Anyone who accesses the source code needs to somehow access some API using some key), you could
Handle this by .gitignore
Create a softlink from your repositiory to some outside "safe" area in your file system, protected by file system access rights
Handle those secrets by means of the keychain / secure enclave, see here
Anyhow, the biggest / only security risk I see is if you plan to publish your repository and dont't want your secrets to go public. In that case, you would replace those API keys by some text like "[enter your api key here]", which could easily be done by some awk/sed scripting.
I have an xctestplan in a library that I'm building that contains all the tests for the library. The tests need to access sensitive data. I would like to store this data in the environment variables for a scheme, but the tests don't seem to have access to these variables when I run them using a test plan. They only have access to the environment variables defined in the configuration for the test plan.
Is it possible for an xctestplan to inherit/access the environment variables from a scheme?
The reason I want to do this is because this library is publicly available on github. I want the xctestplan file to be tracked by git so that users can run the unit tests themselves if they want to. This file is stored in JSON format. If I add environment variables to the test plan, then they show up in this file. Therefore, I cannot store any sensitive information in this file. The temporary solution I have implemented is a separate, untracked, copy of the test plan that contains the sensitive data in the environment variables. This is not ideal because I need to keep these copies in sync with each other.
Storing the environment variables in a scheme is a better solution because I don't need to change it whenever I make changes to the test plan. It's also simpler to exclude schemes from git by unchecking the shared option.
I am creating a Spotify web API library. The sensitive information is the client id and client secret that Spotify uses for authentication requests.
With all of that said, if their is a better method of injecting sensitive data at runtime, I'm all ears.
It is generally recommended not to store credentials in a repository. The question is, where should they be stored then, so all developers have access to the same configuration?
The question is subjective - different practices may be applied. For me, the approach that worked best is utilisation of some form of "Single Sign-On" where possible and provision of personal logins to every system to developers. This also has an advantage of being able to find out who was responsible for a destructive action (which sometimes happens).
You can also take the approach as described here: store the credentials in the SCM, but in encrypted form. This will allow to maintain versioning, yet not allow access "for everyone". I'd say, best option is to combine these two approaches (and store only developer-environment "service" credentials - encrypted - in the SCM)
I stored the config files in a private S3 bucket and manage access via IAM. The configuration updates and revisions are handled by a small script using the AWS gem. That way anybody with sufficient privileges can access them, and we also can issue access credentials for each developer separately.
I am working on an open source project that needs to authorize to a service using oAuth 1.0a. To do this the client app needs to obtain a "key" and a "secret" that is used as part of the authorization handshake.
Question: Is it safe to check these tokens into my SCM? If not, how should I handle this?
Update: The keys I'm referring to here are application specific and the service they are for is copy
It really depends on how secret the keys are.
If they're tied to a user account like for AWS, then I would say to absolutely not include them in the SCM. In that case, the app should check the environment variables to load a key file from the user's directory.
If they're more designed to be per app, then it would reasonable to include the key in the source tree.
Now, if you're developing a library. It would reasonable to include your key in the source tree under the tests but not to include it the binary distributions.
One thing I will suggest, is that you put the key under different copyright terms than the rest of the library. That way, if someone forks your code, you can force them to get their own key.