This plugin adds com.xvyg.keychain.Credentials
object (of the same name as sbt.Credentials
),
bringing capability of obtaining password from the system keychain, the following keychains are supported:
- Mac OS X Keychain
- GNOME's
gnome-keyring
and its companionsecret-tool
Normally you have something like this in your build.sbt or project/plugins.sbt:
credentials ++= Seq(Credentials(Path.userHome / ".ivy2" / ".credentials"))
Where sbt.Credentials
sources these properties from the file:
realm=Sonatype Nexus Repository Manager
host=repo.mynexus.com
user=aleksandrvin
password=XXXXXX
The problem is password stored in plain text on your filesystem.
To remove plain text password from the file, you add sbt-keychain-credentials as a global plugin by adding this line to your ~/.sbt/1.0/plugins/build.sbt:
addSbtPlugin("com.xvyg" % "sbt-keychain-credentials" % "1.0.3")
and these lines to your ~/.sbt/1.0/global.sbt (with your own path to credentials file):
import com.xvyg.sbt.keychain.Credentials
credentials ++= Seq(Credentials(Path.userHome / ".ivy2" / ".credentials", sLog.value, Credentials.MAC))
This will place credentials with password, obtained from your system's keychain, somewhere
close to the head of credentials
list. So everywhere in your project, where you have
Credentials(Path.userHome / ".ivy2" / ".credentials")
, you need to check that they
are appended to the list.
This will bring you next warning when you recompile your project:
$ sbt compile
[info] Loading settings from build.sbt ...
[info] Loading global plugins from /Users/aleksandr.vinokurov/.sbt/1.0/plugins
[info] Updating ProjectRef(uri("file:/Users/aleksandr.vinokurov/.sbt/1.0/plugins/"), "global-plugins")...
[info] Done updating.
[info] Loading settings from plugins.sbt ...
[info] Loading project definition from /Users/aleksandr.vinokurov/Developer/project
************************************************************************
Password appears to be stored as plain text in the file!
/Users/aleksandr.vinokurov/.ivy2/.credentials
Consider removing it from that file and storing in system's Keychain.
You can use the command below for this:
security add-generic-password -a aleksandrvin -s repo.mynexus.com -w
************************************************************************
Now you are ready to remove password from that file (~/.ivy2/.credentials in this example) and securely store it in Mac OS X Keychain. You can do it with the Keychain Access app or with the command suggested for you in the warning message. In this example it is:
security add-generic-password -a aleksandrvin -s repo.mynexus.com -w
It will ask you for the password when called.
Now you need to replace that password=XXXXXXX
line with password=
. If you remove the
whole line -- you will see sort of the warnings below:
[info] Reading credentials from /Users/aleksandr.vinokurov/.ivy2/.credentials ...
[info] Obtaining password from system's keychain ...
[warn] password not specified in credentials file: /Users/aleksandr.vinokurov/.ivy2/.credentials
Where first two information messages come from keychain.Credentials
and the later --
from sbt.Credentials
. It will be ignored by the SBT, but anyway -- it is nicer to keep
the line password=
in the credentials file to skip those warnings.
You're done. Recompiling your project should go without warnings about that password thing.
Plugin is cross built for SBT 0.13.X, all what is different is that you need to apply steps in ~/.sbt/0.13/ directory.