back to article HashiCorp reveals exposure of private code-signing key after Codecov compromise

HashiCorp, an open-source company whose Terraform product is widely used for automated cloud deployments, has revealed a private code-signing key was exposed thanks to the compromised Codecov script discovered earlier this month. Codecov, which provides tools to assess how much of an application's code is subject to unit tests …

  1. Tom Chiverton 1

    And this is why signing a release needs to be manual, not a button in the CI/CD...

    1. Michael Wojcik Silver badge

      It shouldn't be part of CI/CD – at any rate, not part of the CI/CD pipeline – but it shouldn't be manual, either. Manual processes are difficult to perform consistently and to audit. Access to them is usually too broad, because humans aren't reliable. Repetitive processes, particularly those that involve security controls, are tiresome, and people will first stop being vigilant, and then actively try to circumvent safeguards.

      A manual traditional (one-and-done) signing procedure might be safe if you only sign a few releases a year, but even then it's just a matter of time until someone screws it up.

      Signing should be automated but invoked under human control, as part of promoting a build to release. Or it needs to be architected completely differently, e.g. using collaborative signing as in CHAINIAC.

  2. Michael Wojcik Silver badge

    Not a certificate

    or (as in the HashiCorp example) cryptographic certificates


    Certificates are attestations of identity that include a public key. They're public documents. Certificates don't get compromised.

    What was compromised in the HashiCorp case was a gpg (OpenPGP) private key.

    OpenPGP doesn't even really use certificates in its normal mode of operation – not X.509 certificates, at any rate. OpenPGP public keys are sometimes referred to as "certificates" (RFC 4880 acknowledges this usage), but it's informal at best and misleading since SSL/TLS has made X.509 the de facto digital-certificate format.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like