Once revoked, all versions signed with these certificates will no longer function. On Thursday, February 2, 2023, we will revoke the Mac & Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-1.63.1. You can download a previous Atom release per our sunsetting guidance. Once the certificate is revoked, these versions will no longer function. Today, we are removing the latest two versions of the Atom app 1.63.0-1.63.1 from our releases page. How GitHub responded to protect our users No unauthorized changes were made to the code in these repositories. We investigated the contents of the compromised repositories and found no impact to or any of our other offerings outside of the specific certificates noted above. This version is signed with new certificates that were not exposed to the threat actor. On January 4, 2023, we published a new version of the Desktop app. We are working with Apple to monitor for any new executable files (like applications) signed with the exposed certificate until the certificate is revoked on February 2. The Apple Developer ID certificate is valid until 2027.While these will not pose an ongoing risk, as a preventative measure, we will revoke them on February 2. Once expired, these certificates can no longer be used to sign code. One Digicert certificate expired on Januand the second will expire on February 1, 2023.GitHub will revoke all three certificates on February 2, 2023. Three certificates were still valid on December 6, 2022: two Digicert code signing certificates used for Windows and one Apple Developer ID certificate. However, if decrypted, the threat actor could sign unofficial applications with these certificates and pretend that they were officially created by GitHub. These certificates do not put existing installations of the Desktop and Atom apps at risk. We have no evidence that the threat actor was able to decrypt or use these certificates.Ĭertificates are used to verify that code is created by the listed author, very similar to signing your commits on GitHub. However, several encrypted code signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows. None of the affected repositories contained customer data. Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. On December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account. To keep using Atom, users will need to download a previous Atom version. These versions of Atom also will stop working on February 2. There will be no impact to GitHub Desktop for Windows. Please update to the latest version of Desktop. These versions of GitHub Desktop for Mac will stop working on February 2. Revoking these certificates will invalidate some versions of GitHub Desktop for Mac and Atom. As a preventative measure, we will revoke the exposed certificates used for the GitHub Desktop and Atom applications. After a thorough investigation, we have concluded there was no risk to services as a result of this unauthorized access and no unauthorized changes were made to these projects.Ī set of encrypted code signing certificates were exfiltrated however, the certificates were password-protected and we have no evidence of malicious use. On December 7, 2022, GitHub detected unauthorized access to a set of repositories used in the planning and development of GitHub Desktop and Atom. If needed, you can download the latest version of GitHub Desktop from and the latest version of Atom from atom/atom. Februupdate: We have revoked all three certificates: two Digicert code signing certificates used for Windows and one Apple Developer ID certificate.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |