Closed Deadpikle closed 2 years ago
Hi @Deadpikle Thank you for bringing this up! I'll fix it right away. Is it ok to include public keys?
Yeah, public keys are fine and are shipped with your app anyway, so those are safe to put out anywhere.
Thank you. I've pushed an update so hopefully everything should be resolved. Closing for now. Once again thank you so much for bringing this up!
Howdy,
SparkleUpdater maintainer here. Your private updater key is in this repo. https://github.com/ryanjon2040/Unreal-Binary-Builder/blob/master/UnrealBinaryBuilderUpdater/keys/NetSparkle_Ed25519.priv
Malicious users could use this to make updates or executables that look like they were published by you. You should not use this key any more and should not check private keys into your repos.
Recommendation: Push an update to your software that is a critical update (use
sparkle:criticalUpdate
in the<enclosure>
). The new software is signed with your existing key (which you should remove from this repo for less visibility.) The new software contains your new public key, and you use your new private key from then on. This isn't a perfect scheme, but you should assume your private key is out there in the wild at this point.