HashiCorp reveals exposure of private code-signing key after Codecov compromise HashiCorp, an open-source company whose Terraform product is widely used for automated cloud deployments, has revealed a private code-signing key was exposed thanks to the compromised Codecov script discovered earlier this month. Codecov, which provides tools to assess how much of an application's code is subject to unit tests …
It shouldn't be part of CI/CD – at any rate, not part of the CI/CD pipeline – but it shouldn't be manual, either. Manual processes are difficult to perform consistently and to audit. Access to them is usually too broad, because humans aren't reliable. Repetitive processes, particularly those that involve security controls, are tiresome, and people will first stop being vigilant, and then actively try to circumvent safeguards.
A manual traditional (one-and-done) signing procedure might be safe if you only sign a few releases a year, but even then it's just a matter of time until someone screws it up.
Signing should be automated but invoked under human control, as part of promoting a build to release. Or it needs to be architected completely differently, e.g. using collaborative signing as in CHAINIAC.
or (as in the HashiCorp example) cryptographic certificates
Nope.
Certificates are attestations of identity that include a public key. They're public documents. Certificates don't get compromised.
What was compromised in the HashiCorp case was a gpg (OpenPGP) private key.
OpenPGP doesn't even really use certificates in its normal mode of operation – not X.509 certificates, at any rate. OpenPGP public keys are sometimes referred to as "certificates" (RFC 4880 acknowledges this usage), but it's informal at best and misleading since SSL/TLS has made X.509 the de facto digital-certificate format.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
