Credentials for artifactory, nexus or the like are usually stored in
~/.gradle/gradle.properties. But what if you don't want to store passwords in plaintext or you need to change them frequently? Instead wouldn't it be nicer to use a system keyring that manages the passwords and keeps them encrypted?
Since I'm developing on a ubuntu VM at work I've tried solving this problem using the gnome-keyring. But the same solution can work with any system level keyring/chain.
In order to access the gnome-keychain from gradle I first needed to be able to access it from the shell. This is possibly either via python or a utility aptly called "secret-tool" (
sudo apt-get install libsecret-tools). With secret-tools a password can be accessed like this:
secret-tool lookup server git.company.ch. It will return the first password that has a attribute "server" with the value "git.company.ch". If the keyring is locked a system prompt will pop up to enter the password in order to unlock it. Secret-tool can also be used to store or clear passwords. A full reference can be found here.
Now being able to read a password from the keyring in the shell all I needed was a custom gradle script that provides the password to the repository stage.
Since I want the CI Server to continue being able to use gradle.properties it first attempts to read the property jFrogPassword. If the property is set it uses this. If it's not set it tries getting the password from the keyring. Of course if you only use the keyring you can omit this from your gradle script.
In the build.gradle the script is applied like this
apply from: "credentials.gradle" and the username and password are available via the "jFrogUser" and "jFrogPassword" variables.