Closed jiwidi closed 4 years ago
It does not really matter at this point. Any key that has been commited, must be considered compromised and a key rotation should be carried.
It does not really matter at this point. Any key that has been commited, must be considered compromised and a key rotation should be carried.
Can't agree more
I hope that at this point all compromised private keys have been replaced @iCesofT
Tienen toda la pinta de ser llaves que llevan tiempo fuera de uso. Y es probable que estuvieran públicas en la propia apk (por ser el dir /res), mucho antes de en este repo.
De cualquier modo, son llaves a qué? No tengo ni idea, pero imagino que serían para firmar las builds de test de La Gomera, lo cual las hace inútiles anyway.
:facepalm:
Alguien tendría que recomendar un manual sobre como reconstruir historias. Supongo que cuando haya un siguiente commit podran ejecutar un git filter branch
duplicate of #3 and #4, both closed. Why open another one again?
There are plenty of forks out there already (https://github.com/RadarCOVID/radar-covid-android/network/members) plus anyone might have done a copy of the keys too. There is absolutely no benefit on rewriting history as people suggest, the only solution is revoking the keys and generating new ones.
It does not really matter at this point. Any key that has been commited, must be considered compromised and a key rotation should be carried.
Can't agree more
Unless they were just used in the past for testing and unusable now ; ) Check this commit and some other comments from @iCesofT.
Tienen toda la pinta de ser llaves que llevan tiempo fuera de uso. Y es probable que estuvieran públicas en la propia apk (por ser el dir /res), mucho antes de en este repo.
De cualquier modo, son llaves a qué? No tengo ni idea, pero imagino que serían para firmar las builds de test de La Gomera, lo cual las hace inútiles anyway.
Exactamente, es eso. Lo que se ha "comprometido" no está en uso desde las pruebas que se hicieron para La Gomera, es decir, que NO pasa nada.
It's not used anymore as we said before.
Hi!
So git is a wonderful tool, it allows you to keep track of file changes and facilitate coding with other people while keeping and structure code source. This means that your mistake of including a private key is still visible here https://github.com/RadarCOVID/radar-covid-android/blob/67a4506cc43a20062e87aebd5caa6be2ea0f6482/app/src/pre/res/raw/sedia_rsa_private_key.txt
@fjahijado If you push a new commit removing the key this won't fix your vulnerability, you have to remove all changes made to that file in previous commits (or remove the commits).
You can follow github official documentation here to fix it
Any key that you published should be rotated as they have been compromised
:)