Echo off in Jenkins Console Output
JenkinsAndroid Gradle-PluginEchoAndroid KeystoreJenkins Problem Overview
I'm following guideline how to sign Android apk with Jenkins. I have parametrized Jenkins job with KSTOREPWD and KEYPWD. A part of Jenkins' job configuration (Build->Execute shell) is to take those parameters and store them as environment variables:
export KSTOREPWD=${KSTOREPWD}
export KEYPWD=${KEYPWD}
...
./gradlew assembleRelease
The problem is when the build is over anybody can access the build "Console Output" and see what passwords were entered; part of that output:
08:06:57 + export KSTOREPWD=secretStorePwd
08:06:57 + KSTOREPWD=secretStorePwd
08:06:57 + export KEYPWD=secretPwd
08:06:57 + KEYPWD=secretPwd
So I'd like to suppress echo before output from export
commands and re-enable echo after export
commands.
Jenkins Solutions
Solution 1 - Jenkins
By default, Jenkins launches Execute Shell script with set -x
. This causes all commands to be echoed
You can type set +x
before any command to temporary override that behavior. Of course you will need set -x
to start showing them again.
You can override this behaviour for the whole script by putting the following at the top of the build step:
#!/bin/bash +x
Solution 2 - Jenkins
Here is an example of how to write the sh
parameter in Jenkinsfile
with no output in a more secure way, as suggested in official documentation. The set +x
does the main magic as has been written in this answer.
> The single-quotes will > cause the secret to be expanded by the shell as an environment > variable. The double-quotes are potentially less secure as the secret > is interpolated by Groovy, and so typical operating system process > listings (as well as Blue Ocean, and the pipeline steps tree in the > classic UI) will accidentally disclose it:
Insecure, wrong usage:
node {
withCredentials([string(credentialsId: 'mytoken', variable: 'TOKEN')]) {
sh /* WRONG! */ """
set +x
curl -H 'Token: $TOKEN' https://some.api/
"""
}
}
Correct usage ✅:
node {
withCredentials([string(credentialsId: 'mytoken', variable: 'TOKEN')]) {
sh '''
set +x
curl -H 'Token: $TOKEN' https://some.api/
'''
}
}
Solution 3 - Jenkins
In your specific situation (using gradle and jenkins) you could also use a Password Parameter, using Gradle's pattern for environment variables (ORG_GRADLE_PROJECT_prop)
. Gradle will then set a prop
property on your project.
In your case this would look something like this
And you can use it in your gradle.properties
like this
signingConfigs {
release {
storeFile file(KEYSTORE)
storePassword KSTOREPWD
keyAlias ALIAS
keyPassword KEYPWD
}
}
BTW - I recommend using the credentials binding plugin for KEYSTORE