Should some secret be kept private from the VCS?

[GrahamLea]

From reading the documentation, it seems like the default recommendation is to check both the keystores and the password (which I see is in the POM) into VCS.

I'm thinking about the threat that the source code of a licensing project might be stolen from VCS, and how to protect against that.

Obviously the first step is to keep the repo private. I'm wondering is there another recommendation for keeping some secret out of VCS that prevents someone with the repo from generating licenses?

Would keeping the password out of the POM and storing only it in a local file do the trick?

Or should the keystores not be checked in if this is a concern?

[christian-schlichtherle]

By default, the password is used to access the keystore and encrypt the license key. This could be changed, but there is little reason to. So to protect yourself from somebody else generating license keys for your software product, you only need to keep the keystore in the keygen module under lock and key. The keystore in the keymgr project only contains trusted certificate entries, so it‘s safe for you to have your developers consume it as a dependency.

[christian-schlichtherle]

In other words, I would recommend to check in the keystore files so that you have a backup in Git and then only deploy (publish) the keymgr and keymgr-service modules.

./mvnw clean deploy —projects keymgr-service —also-make

Of course, this implies that you should keep the Git repository under lock and key.

[GrahamLea]

you should keep the Git repository under lock and key

Yeah, that was assumed. 😁

I'm keen on addressing the additional threat of that repo being compromised. So it looks like I should keep the keygen/ keystore somewhere other than the repo, make sure it's backed up somewhere else.

Thanks for the quick response.