Return-Path: 
 <ant-user-return-8546-apmail-jakarta-ant-user-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-ant-user-archive@jakarta.apache.org
Received: (qmail 54326 invoked by uid 500); 8 Jun 2001 12:34:10 -0000
Mailing-List: contact ant-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:ant-user@jakarta.apache.org>
List-Help: <mailto:ant-user-help@jakarta.apache.org>
List-Unsubscribe: <mailto:ant-user-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:ant-user-subscribe@jakarta.apache.org>
Reply-To: ant-user@jakarta.apache.org
Delivered-To: mailing list ant-user@jakarta.apache.org
Received: (qmail 54310 invoked from network); 8 Jun 2001 12:34:06 -0000
Sender: cwturner@ns1.cyterm.com
Message-ID: <3B20C56A.5827E308@cycom.co.uk>
Date: Fri, 08 Jun 2001 13:30:34 +0100
From: Christopher William Turner <cwturner@cycom.co.uk>
Organization: Cycom Limited, www.cycom.co.uk
X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-22 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: ant-user@jakarta.apache.org
Subject: ant security risk
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N

I'm using ant to build signed jars with a real expensive certificate.
Obviously I don't want my passphrases to be embedded
anywhere. So

<signjar ... storepass="mysecretisout" />
is an unsafe solution
 
<signjar ... storepass="${keystorepass}" /> 
is little better since I must do builds like:
ant -Dkeystorepass=mysecretisout
which gets recorded in my command history file.

The solution is to prompt for the password. I would like
ant to support this but I couldn't find any prompting tasks.

Please could such a password prompt facility be built into ant?.
Maybe with a syntax like:

<askuser destproperty="keystorepass" echo="false" prompt="enter keystore
password" url="console:"/>

-- 
Christopher William Turner, http://www.cycom.co.uk/ "Serving fine Java
since 1996"