@@ -28,28 +28,28 @@ keyring.
2828[ guide-level-explanation ] : #guide-level-explanation
2929
3030Suppose a user has their authentication token stored in a password manager, and
31- the password manager provides a command, ` creds cargo` , to decrypt and print
32- that token in a secure way. Instead of also storing the token in plaintext, the
33- user can add this snippet to their own ` .cargo/credentials ` to authenticate
34- with crates.io:
31+ the password manager provides a command, ` /usr/bin/ cargo-creds ` , to decrypt and
32+ print that token in a secure way. Instead of also storing the token in
33+ plaintext, the user can add this snippet to their own ` .cargo/credentials ` to
34+ authenticate with crates.io:
3535
3636``` toml
3737[registry ]
38- token-from-process = " creds cargo"
38+ token-from-process = " /usr/bin/ cargo-creds "
3939```
4040
4141When authentication is required Cargo will execute the command and use its
42- output as the token, which will never be stored by Cargo on disk. The command
43- will be executed inside the system's shell environment, to allow the usage of
44- CLI utilities :
42+ output as the token, which will never be stored by Cargo on disk. If the
43+ command requires arguments, for example ` password-manager creds crates-io ` , you
44+ can add them in a list :
4545
4646``` toml
4747[registry ]
48- token-from-process = " creds cargo | awk '{print($2)}' "
48+ token-from-process = [ " password-manager " , " creds" , " crates-io " ]
4949```
5050
51- It will be possible to use ` token-from-process ` on both crates.io and alternative
52- registries.
51+ It will be possible to use ` token-from-process ` on both crates.io and
52+ alternative registries.
5353
5454# Reference-level explanation
5555[ reference-level-explanation ] : #reference-level-explanation
@@ -60,12 +60,15 @@ When a `token` key is also present, the latter will take precedence over
6060` token-from-process ` to maintain backward compatibility, and a warning will be
6161issued to let the user know about that.
6262
63+ The ` token-from-process ` key accepts either a string containing the binary to
64+ call or a list containing the binary name and the arguments to provide to it.
65+
6366When a ` cargo ` subcommand needs the authentication token, Cargo will execute
64- the string contained in the configuration key with the system shell ( ` cmd.exe `
65- on Windows and ` sh ` on other platforms ). The process will inherit Cargo's
66- standard input and error, and the standard output will be captured by Cargo to
67- read the token (with trimmed newlines). If the command returns an exit code
68- other than ` 0 ` Cargo will treat that as a failure.
67+ the binary contained in the configuration key with the defined arguments (if
68+ provided by the user ). The process will inherit Cargo's standard input and
69+ error, and the standard output will be captured by Cargo to read the token
70+ (with trimmed newlines). If the command returns an exit code other than ` 0 `
71+ Cargo will treat that as a failure.
6972
7073The following environment variables will be provided to the executed command:
7174
@@ -75,8 +78,7 @@ The following environment variables will be provided to the executed command:
7578# Drawbacks
7679[ drawbacks ] : #drawbacks
7780
78- This RFC requires cargo to execute a command with the system shell, which could
79- make it more difficult to port Cargo to a new operative system without a shell.
81+ * No known drawbacks yet.*
8082
8183# Rationale and alternatives
8284[ rationale-and-alternatives ] : #rationale-and-alternatives
@@ -104,8 +106,8 @@ secret storage we expect a lot of users to use.
104106Multiple command line tools implement this system or a similar one to retrieve
105107authentication tokens or other secrets:
106108
107- * [ awscli] [ awscli ] includes the ` credentials_process ` setting with the same
108- behavior as the one proposed in this RFC.
109+ * [ awscli] [ awscli ] includes the ` credentials_process ` setting with nearly the
110+ same behavior as the one proposed in this RFC.
109111* [ Docker CLI] [ docker ] offers "credential stores", programs the Docker CLI
110112 calls with specific arguments expecting JSON output. Implementations are
111113 provided for common storage systems, and the protocol is documented for users
@@ -120,7 +122,7 @@ authentication tokens or other secrets:
120122# Unresolved questions
121123[ unresolved-questions ] : #unresolved-questions
122124
123- * Nothing here yet.*
125+ * No known unresolved questions yet.*
124126
125127# Future possibilities
126128[ future-possibilities ] : #future-possibilities
0 commit comments