security: write access for fdroid/fdroiddata git. CHECKUPDATES_SSH_DEPLOY_KEY leaked.
Hi,
I think I might have git commit/write access to https://gitlab.com/fdroid/fdroiddata.
Perhaps I am misunderstanding something, but it seems to me that
- a task named "checkupdates_runner" is running on gitlab CI, which pushes automatic updates to apps,
- to do the git push, the "fdroidci" gitlab account has direct commit access to the "fdroid/fdroiddata" repo,
- it uses an SSH key to authenticate with gitlab 0.
- the SSH (private) key is stored in an environment variable "CHECKUPDATES_SSH_DEPLOY_KEY" 1.
If so, the value of that env var can apparently be read and dumped in build attempts. During a recent automatic run of the "checkupdates_runner" for an app 2, the build script failed and dumped the whole os.environ into stdout 3. Starting on line 7108, you can see the presumably secret value of CHECKUPDATES_SSH_DEPLOY_KEY.
# CHECKUPDATES_SSH_DEPLOY_KEY = ('-----BEGIN OPENSSH PRIVATE KEY-----\n'
'b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\n'
'QyNTUxOQAAACAgWjQ7oi4oR5FKWfHUl4uj4B4mFhAxqEVStS5ou4YOQQAAAJC3h1iTt4dY\n'
'kwAAAAtzc2gtZWQyNTUxOQAAACAgWjQ7oi4oR5FKWfHUl4uj4B4mFhAxqEVStS5ou4YOQQ\n'
'AAAED2r5i7BLJA+xnbD+hEQL338WFK/KRl8GG6l2M3pVOaBCBaNDuiLihHkUpZ8dSXi6Pg\n'
'HiYWEDGoRVK1Lmi7hg5BAAAADGJ1YnVAYnVidXR1eAE=\n'
'-----END OPENSSH PRIVATE KEY-----\n')I saved that as a file named "fdroid.secretkey", and ran:
$ ssh-keygen -y -f fdroid.secretkey
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICBaNDuiLihHkUpZ8dSXi6PgHiYWEDGoRVK1Lmi7hg5B bubu@bubutuxAs this did not prompt me for a password, as expected from the CI script 0, this ssh private key does not have a password. Looks like bubu is the developer who changed the CI to use ssh keys. 5
I guess having this key allows anyone to push to the "fdroid/fdroiddata" git repo?
I did not want to test that, but I tested that it has read access at least: (Which of course is not a big deal, the repo is public, but it means this specific key is registered. I would expect to be able to push also.)
GIT_SSH_COMMAND='ssh -i fdroid.secretkey -o IdentitiesOnly=yes' git clone git@gitlab.com:fdroid/fdroiddata.gitRegards, SomberNight
PS: sorry for weird formatting, I originally intended to send this as an email