GitHub reports that a “set of encrypted code-signing certificates” were exfiltrated from private repositories used in the planning and development of GitHub Desktop, a GUI utility for working with GitHub repositories, and Atom, an open source text editor built on the Electron framework.
Users of Atom 1.63 (the latest version) will have to downgrade to version 1.60. The 1.63 release has been removed from the Atom releases page though users could build a later version from source as an alternative.
GitHub Desktop for Windows is not affected. On the Mac, version of GitHub Desktop between 3.0.2 and 3.1.2 will stop working on February 2nd, when the code signing certificate is revoked. The latest version of GitHub Desktop is 3.1.5, released last week. The earliest GitHub Desktop to use new certificates was released on January 4th.
GitHub said that the root cause of the security incident was a “compromised Personal Access Token associated with a machine account.” The nature of the compromise has not been revealed, but the intruders successfully stole the token and cloned the private repositories. Three current certificates were taken, two for Windows and one for Apple code-signing. These certificates were password-protected but this was considered insufficient reassurance. Certificate passwords are vulnerable to brute-force attack, depending on the strength of the password used.
Atom development was discontinued on December 15th last year, the reason given being “so we can focus on enhancing the developer experience in the cloud with GitHub Codespaces.” The core issue perhaps is that the massively popular Visual Studio Code (VS Code), also based on Electron, made Atom obsolete from GitHub’s perspective. The editor in VS Code, called Monaco, was designed from the first to run in the browser, whereas Atom was designed primarily for desktop use.
DevOps practitioners will note that this is a good example of the potential risks in automated processes. The reason the code signing certificates were present in the repository was to support their use “via Actions in our GitHub Desktop and Atom release workflows.” The password to decrypt the certificates was presumably not present in the repository itself, but there is a degree of risk even in having the certificates present. Stolen code-signing certificates have plenty of potential for causing trouble as they certify the source of an executable. GitHub did well to spot the intrusion and take appropriate action, though it is now over 7 weeks since the incident occurred.