3

I'm trying to get a Travis CI build to work in both my own private fork and the repo of my organization.

I encrypted a config file using the travis encrypt-file command and it seems to have created two environment variables in the travis settings for my own fork that look like: "encrypted_d1234_key" and "encrypted_d1234_iv".

These are used when the build runs to decrypt the config file, like so:

openssl aes-256-cbc -K $encrypted_d1234_key -iv $encrypted_d1234_iv -in test.config.enc -out test.config -d

Can I somehow copy those secure environment variables over to the settings for my org's repo so that the build can decrypt the config file whether it's in my fork or my org's fork.

Or is there a better way to handle these situations?

This is might be the same issue as: What do I need for Travis-CI to decrypt secure variables on my fork?

Community
  • 1
  • 1
cbare
  • 12,060
  • 8
  • 56
  • 63
  • 1
    To retrieve decrypted files, this workaround might work as well https://stackoverflow.com/questions/39460636/travis-ci-decryption-of-encrypted-files/51329987#51329987 – Entreco Jul 13 '18 at 17:20

1 Answers1

4

I figured out a way to get this working. Since you can't get the keys that Travis generates for you, you just have to generate your own keys. Then, encrypt your secret goodies and push the keys into any private repo that needs them (and whose members you trust):

openssl aes-256-cbc -K 1000000000000000000000000000000000000000000000000000000000000001 -iv 10000000000000000000000000000001 -in test.config -out test.config.enc

Now, we give the keys to Travis, which stores them on a per-repo basis. These commands store them in whatever repo is set up as "origin" in git:

travis env set encrypted_d1234_key 1000000000000000000000000000000000000000000000000000000000000001
travis env set encrypted_d1234_iv 10000000000000000000000000000001

Also store them in your org's repo.

travis env set encrypted_d1234_key 1000000000000000000000000000000000000000000000000000000000000001 -r MyOrg/MyRepo
travis env set encrypted_d1234_iv 10000000000000000000000000000001 -r MyOrg/MyRepo

This is (partially) explained in the "Manual Encryption" section of the Encrypting Files docs.

Note that there are some Security Restrictions when testing Pull Requests. Travis supplies you with an environment variable so you can conditionally skip tests that require secure config.

cbare
  • 12,060
  • 8
  • 56
  • 63