Open aarongable opened 5 months ago
There's also some DER encoded private keys floating around such as the following. Note that public keys haven't been sorted out from this.
$ find -type f -iname '*.der'
./test/test-root.key.der
./test/test-ca.der
./test/test-key-5.der
./test/test-ca.key.der
./test/test-root.der
test-ca.der
and test-root.der
are certificates; I've added the others to the checklist above.
With #7488 out for review, only three clusters of keys remains:
Twice in the last two weeks we have uploaded new private keys in PRs, and had to have SRE block those keys because they're compromised.
This should be impossible. We should make it so that boulder has no need for checked-in keys, by dynamically generating any such keys when the integration tests start. Then we should enable push protection with secret scanning to ensure that we never upload a private key to this repo ever again.