【问题标题】:Store .jks file in google secret manager without getting non UTF-8 file?将 .jks 文件存储在 google secret manager 中而不获取非 UTF-8 文件?
【发布时间】:2022-02-14 22:57:40
【问题描述】:

感谢您的所有回复,我仍然面临这个问题,只是为了更加清楚,我已经提供了 cloudbuild.yaml 和 build.gradle 的所有详细信息以及关键属性详细信息,请让我知道配置是否正确,并让我知道如何解决 JKS 问题。

我正在使用 GCP 将 CI\CD 管道集成到一个颤振项目中,我试图将其存储在 google secret manager 中并从代码内部调用它,但它给出了一个错误,说 secret env变量不能是非 UTF-8 格式。

所以我尝试了几件事,

  1. 我尝试将 .JKS 文件转换为可查看的 txt 文件 - 之后它给了我一个错误,说秘密 env 变量不能有空值。

  2. 我尝试将 JKS 文件存储在云存储中 - 但即使我提供了链接和所有必要的云构建权限,代码也无法获取 JKS 的内容。

请在 GCP 中建议一些修复或替代存储区域。

为了更清楚,我添加了代码。 -------------------------------------------------- ------------------------------------

方法 1:尝试从 SECRET MANAGER 访问 JKS 文件

Secret Manager KEY VALUE structure

key                      value
KEYSTORE_PASSWORD       xxxxxxxxxxxx        
KEY_PASSWORD            xxxxxxxxxxxx
KEY_ALIAS               upload
JKS                     fe ed fe ed 00 00 00.....

build.sh

cd /workspace/$1
VERSION_NAME=$(git describe)
VERSION_CODE=$(git rev-list --count master)
flutter build apk --build-name=$VERSION_NAME --build-number=$VERSION_CODE


cloudbuild.yaml:

# Flutter CD configuration file with Cloud build

steps:

  # clone the latest source codes
  - name: 'gcr.io/cloud-builders/git'
    args: ['clone', 'https://XXXXX:ACCOUNT_PASSWORD@bitbucket.org/XXXXXXXX/XX.git']
    dir: '/workspace'

  # using flutter builder Docker image we have built previously to compile the repo
  - name: 'gcr.io/$PROJECT_ID/flutter'
    entrypoint: 'bash'
    args: [ 'build.sh']
    secretEnv: ['KEYSTORE_PASSWORD','KEY_PASSWORD', 'KEY_ALIAS', 'JKS']

  # Push the APK Output to your GCS Bucket with Short Commit SHA.
  - name: 'gcr.io/cloud-builders/gsutil'
    args: [ 'cp', 'build/app/outputs/flutter-apk/app-release.apk', 'gs://BUCKET_NAME' ]

availableSecrets:
  secretManager:
  - versionName: projects/xxxxxx/secrets/KEYSTORE_PASSWORD/versions/1
    env: 'KEYSTORE_PASSWORD'
  - versionName: projects/xxxxxxx/secrets/KEY_PASSWORD/versions/1
    env: 'KEY_PASSWORD'
  - versionName: projects/xxxxxx/secrets/KEY_ALIAS/versions/1
    env: 'KEY_ALIAS'
  - versionName: projects/xxxxxxx/secrets/upload-keystore-jks/versions/1
    env: 'JKS'

build.gradle:

def localProperties = new Properties()
def localPropertiesFile = rootProject.file('local.properties')
if (localPropertiesFile.exists()) {
    localPropertiesFile.withReader('UTF-8') { reader ->
        localProperties.load(reader)
    }
}

def flutterRoot = localProperties.getProperty('flutter.sdk')
if (flutterRoot == null) {
    throw new GradleException("Flutter SDK not found. Define location with flutter.sdk in the local.properties file.")
}

def flutterVersionCode = localProperties.getProperty('flutter.versionCode')
if (flutterVersionCode == null) {
    flutterVersionCode = '1'
}

def flutterVersionName = localProperties.getProperty('flutter.versionName')
if (flutterVersionName == null) {
    flutterVersionName = '1.0'
}

apply plugin: 'com.android.application'
apply plugin: 'kotlin-android'
apply from: "$flutterRoot/packages/flutter_tools/gradle/flutter.gradle"

android {
    compileSdkVersion flutter.compileSdkVersion

    compileOptions {
        sourceCompatibility JavaVersion.VERSION_1_8
        targetCompatibility JavaVersion.VERSION_1_8
    }

    kotlinOptions {
        jvmTarget = '1.8'
    }

    sourceSets {
        main.java.srcDirs += 'src/main/kotlin'
    }

    defaultConfig {
        // TODO: Specify your own unique Application ID (https://developer.android.com/studio/build/application-id.html).
        applicationId "com.XXX.XXX"
        minSdkVersion flutter.minSdkVersion
        targetSdkVersion flutter.targetSdkVersion
        versionCode flutterVersionCode.toInteger()
        versionName flutterVersionName
    }

    signingConfigs {
        release {
            keyAlias System.getenv("KEY_ALIAS")
            keyPassword System.getenv("KEY_PASSWORD")
            storePassword System.getenv("KEYSTORE_PASSWORD")
            storeFile System.getenv("JKS")
        }
    }
    buildTypes {
        release {
            signingConfig signingConfigs.release
        }
    }

}

flutter {
    source '../..'
}

dependencies {
    implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:$kotlin_version"
}   


ERROR
==============================================================================================================
build step 1 "gcr.io/buildtrial-1/flutter" failed: secret projects/xxxxxxx/secrets/upload-keystore-jks/versions/1 value is not valid UTF-8

==============================================================================================================

NOTE: 
1.build.gradle file is same for both the approches, as the JKS variable name is conssistent in both the approches
2. I've verified that, 'KEYSTORE_PASSWORD','KEY_PASSWORD', 'KEY_ALIAS' is working properly, only problem is with accessing JKS file in both the approches.

----------------------------------- ----------------------------------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -----

方法 2:尝试从云存储访问 JKS 文件。

cloudbuild.yaml:

# Flutter CD configuration file with Cloud build

steps:

  # clone the latest source codes
  - name: 'gcr.io/cloud-builders/git'
    args: ['clone', 'https://XXXXX:ACCOUNT_PASSWORD@bitbucket.org/XXXXXXXX/XX.git']
    dir: '/workspace'

  #accessing the JKS file stored in cloud storage through environment variable
  - name: 'gcr.io/cloud-builders/gsutil'
    env:
      - 'JKS=gs://BUCKET_NAME/KEYSTORE.jks'

  # using flutter builder Docker image we have built previously to compile the repo
  - name: 'gcr.io/$PROJECT_ID/flutter'
    entrypoint: 'bash'
    args: [ 'build.sh']
    secretEnv: ['KEYSTORE_PASSWORD','KEY_PASSWORD', 'KEY_ALIAS']

  # Push the APK Output to your GCS Bucket with Short Commit SHA.
  - name: 'gcr.io/cloud-builders/gsutil'
    args: [ 'cp', 'build/app/outputs/flutter-apk/app-release.apk', 'gs://BUCKET_NAME' ]

availableSecrets:
  secretManager:
  - versionName: projects/xxxxxx/secrets/KEYSTORE_PASSWORD/versions/1
    env: 'KEYSTORE_PASSWORD'
  - versionName: projects/xxxxxxx/secrets/KEY_PASSWORD/versions/1
    env: 'KEY_PASSWORD'
  - versionName: projects/xxxxxx/secrets/KEY_ALIAS/versions/1
    env: 'KEY_ALIAS'

================================================ =============================== 错误

Step #2: Execution failed for task ':app:validateSigningRelease'.
Step #2: > Keystore file not set for signing config release

================================================ ===============================

【问题讨论】:

  • 看来JKS是二进制格式,所以必须以二进制形式存储。感觉就像您必须将 JKS 提取到可以使用它的“本地文件”中。您能否详细说明您如何从源代码构建您的应用程序以及 JKS 文件应该在哪里找到?
  • 感谢您的回复。我已附上详细信息,请查看并提出修复建议。
  • 你的build.sh文件中的JKS相关部分也可以分享吗?第一种方法可行,第二种不行(我将在稍后更新我的答案中解释)
  • 上面我已经添加了build.sh,但是我没有为build.sh中的JKS文件写任何东西。我应该添加一些东西吗?如有请注明。

标签: flutter google-cloud-platform google-cloud-storage jks google-secret-manager


【解决方案1】:

当您有二进制文件时,您必须将它们转换为 base64,然后将它们编码存储。

在您的应用程序中,读取 Secret Manager 的 base64 内容,对其进行解码并使用它。

【讨论】:

  • 感谢您的回复。我已附上详细信息,请查看并提出修复建议。
  • 问题仍然存在,请您提供更多有关如何实施您提到的解决方案的背景信息。本文档cloud.google.com/build/docs/securing-builds/use-secrets 中针对非 utf 8 给出的解决方案,我尝试实现它但我做不到,非常感谢有关实现的更多信息。
猜你喜欢
  • 2020-11-15
  • 2020-07-19
  • 2020-10-24
  • 1970-01-01
  • 1970-01-01
  • 2016-05-09
  • 1970-01-01
  • 1970-01-01
  • 2016-03-17
相关资源
最近更新 更多