Securing Credentials for Package Manager and Bundler

Transcript

1. @atpons / Taiga Asano Securing Credentials for Package Manager and

   Bundler

2. About me Taiga Asano (@atpons) SWE at STORES, Inc. Interesting

   in Security 2

3. Bundler's Like This Now... 3 • Using private gems •

   Usually download with static passwords and environment variables, config files! • Like: ◦ BUNDLE_HTTP_*_USERNAME ◦ .bundle/config

4. Bundler's Like This Now... But have problems? 4 • Is

   that super safe though? ◦ Is it safe to keep it on file? • What about those temporary tokens? • How do we handle those? AWS CodeArtifact, GitHub OAuth Token…

5. Check out: Other Package Managers Doing! 5 • Some package

   managers support “Credential Helper” • Anyway, what's that?

6. Credential Helper 6 • A safer way to handle passwords

   and secrets ◦ It asks other tools, "Hey, got the password?" • Another process securely retrieves tokens ◦ No control is required! Bundler Private Gem Server Auth Credential Helper Secure Storage (Keychain, etc) Get Password config file env vars

7. Let's see example: Git 7 • git credential-helper ◦ osxkeychain

   ◦ Git Credential Manager, and more! • Stored in a secure location, such as OS keychain!

8. Let's see example: pnpm 8 • In .npmrc: ◦ //npm.example.com:tokenHelper=~/token-help

   er-for-pnpm • This is all that is for the external process to take the token and retrieve it!

9. How About This for Bundler?: My Idea 9 • Working

   in rubygems/rfc#59, rubygems/rubygems#8501 (Bundler) • Running bundle install with a helper. bundle config --local credential-helper.rubygems.pkg.github.com "echo atpons:\$(gh auth token)"

10. Wrapping Up 10 • Credential management in Bundler and RubyGems

    could be better! 🚀 • And, Credential Helper is one way of doing this!