gitmavenpassword-protectionmaven-release-pluginmaven-scm-plugin

Maven release plugin shows plaintext password on git push error


I'm running

mvn release:prepare -Dusername=myuser -Dpassword=mypassword

and see lines in output:

[INFO] Executing: cmd.exe /X /C "git push https://myuser:********@myserver.com:8081/scm/project/project.git refs/heads/master:refs/heads/master"

but if for some reason git push failed(e.g. I made a mistake typing password) then I see in log

[ERROR] fatal: unable to access 'https://myuser:mypassword@myserver.com:8081/scm/project/project.git/': SSL certificate problem: self signed certificate in certificate chain

So I see PLAINTEXT password. As I use this step on Teamcity it causes security problems when someone else can see my password if build failed. I tried both on Linux and Windows machines.

I use maven-release-plugin version 2.5.3.

Anybody knows how to fix it?


Solution

  • Use another git provider in the release plugin. I had this exact same problem when switching to another git server. Suddenly the Jenkins password was showing up in the build logs, even if there were no errors. Perhaps the git servers are using different authentication schemes.

    This worked for me:

     <plugin>
       <groupId>org.apache.maven.plugins</groupId>
       <artifactId>maven-release-plugin</artifactId>
       <version>2.5.3</version>
       <configuration>
         <providerImplementations>
           <git>jgit</git>
         </providerImplementations>
       </configuration>
       <dependencies>
         <dependency>
           <groupId>org.apache.maven.scm</groupId>
           <artifactId>maven-scm-provider-jgit</artifactId>
           <version>1.9.5</version>
         </dependency>
       </dependencies>                 
     </plugin>
    

    This problem was fixed about 6 months ago, according to this.