albertfdp
commented
4 years ago It does not really matter at this point. Any key that has been commited, must be considered compromised and a key rotation should be carried.
Closed jiwidi closed 4 years ago
albertfdp
commented
4 years ago It does not really matter at this point. Any key that has been commited, must be considered compromised and a key rotation should be carried.
jiwidi
commented
4 years ago It does not really matter at this point. Any key that has been commited, must be considered compromised and a key rotation should be carried.
Can't agree more
itsjavi
commented
4 years ago I hope that at this point all compromised private keys have been replaced @iCesofT
NiciusB
commented
4 years ago Tienen toda la pinta de ser llaves que llevan tiempo fuera de uso. Y es probable que estuvieran públicas en la propia apk (por ser el dir /res), mucho antes de en este repo.
De cualquier modo, son llaves a qué? No tengo ni idea, pero imagino que serían para firmar las builds de test de La Gomera, lo cual las hace inútiles anyway.
alfonsoeromero
commented
4 years ago :facepalm:
arivero
commented
4 years ago Alguien tendría que recomendar un manual sobre como reconstruir historias. Supongo que cuando haya un siguiente commit podran ejecutar un git filter branch
fooock
commented
4 years ago duplicate of #3 and #4, both closed. Why open another one again?
albertfdp
commented
4 years ago There are plenty of forks out there already (https://github.com/RadarCOVID/radar-covid-android/network/members) plus anyone might have done a copy of the keys too. There is absolutely no benefit on rewriting history as people suggest, the only solution is revoking the keys and generating new ones.
spanishkangaroo
commented
4 years ago It does not really matter at this point. Any key that has been commited, must be considered compromised and a key rotation should be carried.
Can't agree more
Unless they were just used in the past for testing and unusable now ; ) Check this commit and some other comments from @iCesofT.
manueldevjour
commented
4 years ago Tienen toda la pinta de ser llaves que llevan tiempo fuera de uso. Y es probable que estuvieran públicas en la propia apk (por ser el dir /res), mucho antes de en este repo.
De cualquier modo, son llaves a qué? No tengo ni idea, pero imagino que serían para firmar las builds de test de La Gomera, lo cual las hace inútiles anyway.
Exactamente, es eso. Lo que se ha "comprometido" no está en uso desde las pruebas que se hicieron para La Gomera, es decir, que NO pasa nada.
iCesofT
commented
4 years ago It's not used anymore as we said before.
Hi!
So git is a wonderful tool, it allows you to keep track of file changes and facilitate coding with other people while keeping and structure code source. This means that your mistake of including a private key is still visible here https://github.com/RadarCOVID/radar-covid-android/blob/67a4506cc43a20062e87aebd5caa6be2ea0f6482/app/src/pre/res/raw/sedia_rsa_private_key.txt
@fjahijado If you push a new commit removing the key this won't fix your vulnerability, you have to remove all changes made to that file in previous commits (or remove the commits).
You can follow github official documentation here to fix it
Any key that you published should be rotated as they have been compromised
:)