New in 2.2: Reliance on Keyring

There is in PyPI an open source repo named keyring which supports the storage of credentials securely in a keyring store, the backend for which is determined automagically based on the local environment. This storage is secured by all the normal processes of the keyring backend. While it may expose potential exfiltration surface between tapestry and the backend, it remains more secure than the current option available, which would have been storage in the tapestry.cfg configuration file.

Since this is obviously extremely undesirable, the functionality to retain passwords and passphrases has been absent from Tapestry for some time, which is a barrier to true automation given their utility in the SFTP or signing processes, and potentially other network access operations.

This would also provide a more acceptable method for storing certain other sensitive information like AWS credentials, in the event that method is used.

The downside of this access method is that it will potentially complicate installation on linux systems, though it should be relatively seamless on windows and MacOS/OSX systems, which each have their own quirks of installation. Another potential downside is the potential for conflict with existing configuration files. For this reason, the project to add Keyring functionality will also correct technical debt with regard to handling missing or incomplete configuration.

In theory this can replace several existing configuration values. Care must be taken when doing so to clearly identify these in both the main documentation and on this page.