While patching a recent security vulnerability in Jenkins, we had to change the way agents are connecting to master. Now we are using SSH to connect them and that has caused few changes to the way we setup environment variables etc.
So we have moved setting environment variables to a separate script and call that within Jenkins jobs as below.
Within the environs script we have code like below and its working alright.
set +x
export ANDROID_CONFIG="/Users/........../android_config.txt"
export IOS_CONFIG="Users/............/ios_config.txt"
Although the direct variable assignment works fine, a command like below causes some issues
security -v unlock-keychain -p <**password**> <path_to_keychain>
security -q find-generic-password -s local_keystore -w
Even with the set +x command, the password is getting visible in the Jenkin jobs terminal output. Is there a way to provide this password in a secure manner and anyone who has access to the Jenkins web portal job can access this password one way or the other. I am thinking about internal threat vectors as well.
There was no change is running the shell script directly or via source command.
If this is not the ideal way, is there a better way of achieving this?