Action needed for GitHub Desktop and Atom users
source link: https://github.blog/2023-01-30-action-needed-for-github-desktop-and-atom-users/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Action needed for GitHub Desktop and Atom users
Update to the latest version of Desktop and previous version of Atom before February 2.
On December 7, 2022, GitHub detected unauthorized access to a set of repositories used in the planning and development of GitHub Desktop and Atom. After a thorough investigation, we have concluded there was no risk to GitHub.com services as a result of this unauthorized access and no unauthorized changes were made to these projects.
A set of encrypted code signing certificates were exfiltrated; however, the certificates were password-protected and we have no evidence of malicious use. As a preventative measure, we will revoke the exposed certificates used for the GitHub Desktop and Atom applications. Revoking these certificates will invalidate some versions of GitHub Desktop for Mac and Atom.
These versions of GitHub Desktop for Mac will stop working on February 2. Please update to the latest version of Desktop.
- 3.1.2
- 3.1.1
- 3.1.0
- 3.0.8
- 3.0.7
- 3.0.6
- 3.0.5
- 3.0.4
- 3.0.3
- 3.0.2
There will be no impact to GitHub Desktop for Windows.
These versions of Atom also will stop working on February 2. To keep using Atom, users will need to download a previous Atom version.
- 1.63.1
- 1.63.0
What happened
On December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account. Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. None of the affected repositories contained customer data.
However, several encrypted code signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows. We have no evidence that the threat actor was able to decrypt or use these certificates.
Certificates are used to verify that code is created by the listed author, very similar to signing your commits on GitHub. These certificates do not put existing installations of the Desktop and Atom apps at risk. However, if decrypted, the threat actor could sign unofficial applications with these certificates and pretend that they were officially created by GitHub.
Three certificates were still valid on December 6, 2022: two Digicert code signing certificates used for Windows and one Apple Developer ID certificate. GitHub will revoke all three certificates on February 2, 2023.
- One Digicert certificate expired on January 4, 2023 and the second will expire on February 1, 2023. Once expired, these certificates can no longer be used to sign code. While these will not pose an ongoing risk, as a preventative measure, we will revoke them on February 2.
- The Apple Developer ID certificate is valid until 2027. We are working with Apple to monitor for any new executable files (like applications) signed with the exposed certificate until the certificate is revoked on February 2.
On January 4, 2023, we published a new version of the Desktop app. This version is signed with new certificates that were not exposed to the threat actor.
Impact to GitHub.com
We investigated the contents of the compromised repositories and found no impact to GitHub.com or any of our other offerings outside of the specific certificates noted above. No unauthorized changes were made to the code in these repositories.
How GitHub responded to protect our users
Today, we are removing the latest two versions of the Atom app 1.63.0-1.63.1 from our releases page. Once the certificate is revoked, these versions will no longer function. You can download a previous Atom release per our sunsetting guidance.
On Thursday, February 2, 2023, we will revoke the Mac & Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-1.63.1. Once revoked, all versions signed with these certificates will no longer function. We highly recommend updating Desktop and/or downgrading Atom before February 2 to avoid disruptions in your workflows.
The security and trustworthiness of GitHub and the broader developer ecosystem is our highest priority. We recommend users take action on the above recommendations to continue using GitHub Desktop and Atom.
The GitHub Insider Newsletter
Get the best of GitHub. Once a month. Directly to your inbox.
SubscribeMore on Atom
Sunsetting Atom
We are archiving Atom and all projects under the Atom organization for an official sunset on December 15, 2022.
More on GitHub Desktop
GitHub Desktop 3.0 brings better integration for your pull requests
GitHub Desktop 3.0 brings better integration with your GitHub Pull Requests. You can now receive real time notifications and review the status of your check runs for your pull request.
GitHub Availability Report: March 2022
In March, we experienced several incidents resulting in significant impact to multiple GitHub services.
GitHub Desktop 2.9 includes squashing, reordering, amending, and more!
The latest version of GitHub Desktop allows you to squash commits, squash and merge, reorder, amend your last commit, check out a branch from a previous commit, and more.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK