node-core-utils icon indicating copy to clipboard operation
node-core-utils copied to clipboard
verified publisher icon nodejs

Consider encrypting .ncurc with a passphrase

Open joyeecheung opened this issue 3 years ago • 2 comments

Since it contains tokens (though in general just read permissions of the org and the jenkins), it would be safer if we encrypt it with a passphrase (in case some malicious code gets access to the user's home directory), and perhaps warn if the read permission of it is too generous, similar to how the ssh keys are protected.

joyeecheung avatar Apr 02 '22 12:04 joyeecheung

This is technically not done.

  1. We should phase out non-encrypted tokens
  2. We need support in ncu-config to write it. Currently if you have .ncurc.gpg and you do ncu-config set ..., it serializes the token in plain text into .ncurc back again. This would be useful for CI support.

joyeecheung avatar Aug 08 '25 22:08 joyeecheung

Now that we have ncu-config set -x, I believe we're closer to the end goal.

  1. We should phase out non-encrypted tokens

I'm not sure we can reasonably do that while keeping a dependency on gpg, we should have a fallback (maybe something in the lines of https://bun.com/docs/runtime/secrets#secrets)

aduh95 avatar Nov 19 '25 10:11 aduh95