You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The bash script that is used by codecov was edited by an attacker, these changes could have lead to a leak of secrets of news.
As we started to work on release automation and can't fully guaranty that the key and the App Store token were not leaked.
Actions
A new key was generated and we requested a new certificate from nextcloud, nextcloud/app-certificate-requests#382
I generated a new App Store token, which allows you to upload new releases via the API.
Lastly we revoked all releases on the App Store, that is necessary as soon as you update your apps certificate.
I uploaded the latest 15.x 14.x and 13.x release so with those you can be sure that they were signed with the new certeficate.
Consequences
If you try to install news now you might run into certificate errors. New releases of Nextcloud 19 - 21 should fix that.
Also older releases and extra releases are now only available via our GitHub release page.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hey everyone,
we decided after the security announcement by codecov (https://about.codecov.io/security-update/) that we would revoke the certificate and the key of news.
Why?
The bash script that is used by codecov was edited by an attacker, these changes could have lead to a leak of secrets of news.
As we started to work on release automation and can't fully guaranty that the key and the App Store token were not leaked.
Actions
A new key was generated and we requested a new certificate from nextcloud, nextcloud/app-certificate-requests#382
I generated a new App Store token, which allows you to upload new releases via the API.
Lastly we revoked all releases on the App Store, that is necessary as soon as you update your apps certificate.
I uploaded the latest 15.x 14.x and 13.x release so with those you can be sure that they were signed with the new certeficate.
Consequences
If you try to install news now you might run into certificate errors. New releases of Nextcloud 19 - 21 should fix that.
Also older releases and extra releases are now only available via our GitHub release page.
Beta Was this translation helpful? Give feedback.
All reactions