How to use encrypted password for maven settings.xml

I follow this post to use ${env.MAVEN_PASSWORD} and set the variables under Settings > Variables.

I have settings.xml with

<server>
  <id>my-repo</id>
  <username>${env.MAVEN_USER}</username>
  <password>${env.MAVEN_PASSWORD}</password>
</server>

And settings-security.xml with

<settingsSecurity>
    <master>${env.MAVEN_MASTER}</master>
</settingsSecurity>

These 2 files I committed to the repository under a folder “gitlab”

Then in .gitlab-ci.yml , I did this:

build:
  image: "mcpayment/ubuntu-java8:1604-build"
  stage: build
  before_script:
    - mkdir /root/.m2
    - mkdir /root/.m2/repository
    - cp gitlab/settings.xml /root/.m2/settings.xml
    - cp gitlab/settings-security.xml /root/.m2/settings-security.xml
  script:
    - mvn -f /builds/$CI_PROJECT_PATH/pom.xml clean install -U -B -X

All the steps appears to be correct except this error:

Failed to decrypt password for server my-repo: org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException
org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException

It appears that the variables are correct passed in as further down I find

[DEBUG] Using connector BasicRepositoryConnector with priority 0.0 for https://nexus-url/ with username=maven_user, password=***

The “username” value is as set in Variables.

Any suggestion on how to figure this out would be much appreciated.

I think you are better off.asking on the Maven user list whether enironment variables are picked up in settings-security.xml. I don’t.think so.

BTW. what is the attack vector here? Someone who is able to access MAVEN_PASSWORD from the environment will be able to steal MAVEN_MASTER as well. This is a symetric encryption which is trivial to invoke with a little java program.

Your level of security.changes if you are in charge of the runner and do volume mount the settings-security.xml. Then someone would need to hack the runner node and your gitlab project to decrpyt the clear text password.

Thanks for the pointers.

My workaround is to create the settings-security.xml from the Gitlab CI script:

echo "<settingsSecurity><master>${MAVEN_MASTER}</master></settingsSecurity>" > /root/.m2/settings-security.xml