Uploaded image for project: 'Apache Cordova'
  1. Apache Cordova
  2. CB-11528

Remove verbose mode from xcrun in build.js to prevent logging of environment variables.

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: cordova-ios
    • Labels:
      None

      Description

      During the build process for IOS, xcrun is called with the "-v" option for verbose output. As part of the output, xcrun prints out all the environment variables. This can be a security issue on CI servers because CI servers often provide a way to store encrypted secrets that are decrypted and put in environment variables during the build. When xcrun prints out all the environment variables, the output on the CI server is then logged containing the unencrypted versions of the secrets.

      Current the workaround is to use the --noSign option and then call xcrun directly. However, it would be nice to remove the "-v" option when calling "xcrun" in Cordova.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                shazron Shazron Abdullah
                Reporter:
                mgottlieb@artifacthealth.com Meir Gottlieb
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: