zxp password included as raw text in build bundle

[lucadalli]

I am new to CEP plugin development and unfamiliar with the whole signing process but I noticed that the zxp.password is included as raw text in the jsx/index.js file of the build bundle.

Is this a security concern?

[justintaylor-dev]

Not if you're self-signing, if you want to sign with real paid certs then yea that could be a concern, but ZXP security isn't correctly implemented so there's really no point. To avoid this from showing up in the bundle then just don't import the config to get the id, just copy it manually or stick it in another file that you import.

If you want to chat more general topics like this for Bolt CEP, feel free to join our Discord: https://discord.gg/PC3EvvuRbc

[lucadalli]

Hi Justin,

Thanks for clarifying! I have joined the Discord.

Kind regards, Luca

From: Justin Taylor Sent: 08 November 2023 16:32 To: hyperbrew/bolt-cep Cc: Luca Dalli; Author Subject: Re: [hyperbrew/bolt-cep] zxp password included as raw text in buildbundle (Issue #112)

Not if you're self-signing, if you want to sign with real paid certs then yea that could be a concern, but ZXP security isn't correctly implemented so there's really no point. To avoid this from showing up in the bundle then just don't import the config to get the id, just copy it manually or stick it in another file that you import. If you want to chat more general topics like this for Bolt CEP, feel free to join our Discord: https://discord.gg/PC3EvvuRbc — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>