sabrogden
commented
2 weeks ago Those are secure strings that appveyor unencrypts when building.
Open soerennielsen opened 2 weeks ago
sabrogden
commented
2 weeks ago Those are secure strings that appveyor unencrypts when building.
First of all, I LOVE DITTO!
Having used it for years it is one of the first apps I install on any new computer.
Background: I went a bit deep into this repo as I was searching for an arm64 version, or possibly an easy way to create one (didn't find it and local compilation also failed with something in SQLite3 c++ code).
While searching I came across secrets stored in appveyor.xml file which contains CHOCO_API_KEY and GITHUB_API_KEY.
Ehm... I have not tried it, but I would probably be able push a rogue binary to choco and likely also create a rogue release with custom uploaded binaries to github releases.
... and thereby infect everyone installing from those sources with whatever rogue stuff :( :(
Sourceforge + winget is likely still secure.
Can you please remove and also cycle these secrets? There are options to store secrets in github CI/CD parts, in Azure DevOps and likely also in appveyor - I think @sabrogden is the right one to poke on this.
(second/third: Can I humbly ask for arm64 be added to your build targets? My c++ skills are way too old to fix it correctly)