User credentials (in export_presets.cfg) are saved in repository by default, potentially making them public?

[kraybit]

Godot version

4.0.beta16.mono.official

System information

MacOS

Issue description

Making a new Godot 4.0.beta16-project with Git Version Control Metadata results in this .gitignore:

# Godot 4+ specific ignores
.godot/

Creating a new Export profile for MacOS, generates an export_presets.cfg-file, where the following can be found:

...
notarization/apple_id_name=""
notarization/apple_id_password=""
...

• It seems, but I don't know — it seems export_presets.cfg contains potentially sensitive data?
• If it does, should it not perhaps be added to .gitignore?

---

Related

• The gitignore-project project here on GitHub (gitignore/Godot.gitignore) have chosen to mark the export configuration files as ignored, seemingly for this reason. See the discussion at [Godot] Don't ignore export presets  github/gitignore#2827
• Obviously, ignoring export_presets.cfg means you have to recreate them every time you clone the repository, which is a major hassle.
• Ideally, credentials would be stored elsewhere?
• At very least, there seems to be a discrepancy here, between the Godot-project, and the gitignore-project, regarding security/privacy?

Steps to reproduce

Generic repro

• Create new project with Git metadata
• Open .gitignore and read
• Create a new Export profile for MacOS (or rather, one for each platform)
• Open 'export_presets.cfg` and locate any sensitive user credentials (if present)
• Open any other file that may contain sensitive user credentials (given, that in the future, perhaps it's stored elsewhere.)
• Then ask: "If the user pushes this project to a public repository, will they publish any sensitive data, such as code signing credentials, that should not be public?"
  • If "Yes" - Then there's a bug.
  • If "No" - Then no bug.

Minimal reproduction project

Trivial.

[Calinou]

Duplicate of godotengine/godot-proposals#1156.