Closed kevcube closed 2 years ago
@unfunco I've validated that role assumption still functions, please double check my assumptions about the cert chain!! If they're correct then this is a critical bug.
Investigating further, I think it's okay. The thumbprint that was being used is the one documented by GitHub in this post: https://github.blog/changelog/2022-01-13-github-actions-update-on-oidc-based-deployments-to-aws/
Ok - yeah looks like it's secure enough to be validating the intermediate CA and also the GitHub domain.
Based on the output of
openssl s_client -servername token.actions.githubusercontent.com -showcerts -connect token.actions.githubusercontent.com:443
(below) I believe module uses the thumbprint of the CA Authority's signing cert,fingerprint:
instead of using the cert issued by this CA to GitHub,
fingerprint: