-
-
Notifications
You must be signed in to change notification settings - Fork 21.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Store sensitive export options in dedicated credentials file #76165
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the rest of the values can be read from env. variables, script_encryption_key
should be as well (in the editor_export_platform.cpp
, there are two String script_key = p_preset->get_script_encryption_key().to_lower();
lines where it's used).
No problem, but I have to look into how to do this cleanly since the script encryption key is handled differently and by different classes than the rest of the properties here. Edit: In particular, I'm concerned with where to store the environment variable name. Every export platform has its own encryption key, so there needs to be a dedicated environment variable for each platform. That makes it platform-dependent code, |
06b2b21
to
44edc7d
Compare
I implemented the requested changes and extended it so that the script encryption key can also be set by environment variables. |
a3ae30c
to
5902532
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs rebase after #74644
Newly added codesign/provisioning_profile
in macOS exporter should be added to credentials as well (local file path, so not critical).
5902532
to
c235830
Compare
Rebased and fixed the issues pointed out by @m4gr3d . There's still the question of whether it is necessary to have an environment variable for the script encryption key per platform. I'm happy to go either way, but I'd need someone with more authority to make a final decision. |
Rebased and changed script encryption key environment variable to be the same for all platforms. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks really solid. Great work!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great!
Thanks! |
Closes godotengine/godot-proposals#1156
This PR splits sensitive information from the
export_presets.cfg
file off into a newexport_credentials.cfg
file. This effectively allows users to commit export presets to version control without making confidential information public.The change is transparent and seamless for the most part. Old export presets are loaded fine and all the credentials are preserved*. The next time any export presets are changed, the new format is being used automatically. For a list of properties that are considered confidential, see the linked proposal.
*: The only exception to this is the script encryption key. Users will have to re-enter it the next time they open the export presets UI.
I included two minimal projects to highlight the change.
Before Credentials
contains the old file layout and can be used to test the conversion from before this PR to after.With Credentials
shows how export presets are stored with this PR merged.Before Credentials.zip
With Credentials.zip