Hi, I am trying to use a private password in my project (kotlin DSL, java/kotlin, a Minecraft mod to be specific) for the purpose of loading encrypted music asset files. Of course, the password should not be saved in the version control, so my idea would be to inject it from an environment variable.
This would be very easy if I just placed it in a resource file, but the issue would then be that it would be in a text file that could be seen by just opening the jar, entirely defeating the process. I’d prefer to inject it into a source file before compilation, but am having an extremely hard time getting it to work, and it seems weird as I’d imagine replacing private keys in source files would be a common use case.
Anyone has any idea how to do it?
That’s not really common, because having it in the class file is not really that much more safe than having it in a txt file in the JAR.
It can be extracted extremely easily from both.
If you are the one running that code in the end, I’d suggest to supply the secret at runtime, not at buildtime.
If you are giving the JAR to others for usage and they should indeed use your secret and not retrieve an own one, you could for example at least obfuscate it somehow, so that it is not too obvious what it is. But even then, the much easier and more idimoatic approach is to fill it into some resource file like a .properties file using the processResources task and for example using expand with it. Preprocessing sources before compilation is not exactly a too common and supported use-case. You could maybe use something like an annotation processor though to generate some class with the secret on the fly during compilation.