Skip to content

GitHub revokes stolen code signing certificates following internal repo breach

  • by
  • 2 min read

Unknown attackers have stolen Github’s encrypted code-signing certificates for its desktop and Atom programs after they gained access to some of its development and release repositories. These include one Apple Developer ID certificate and two Digicert code signing certificates used for Windows apps.

The breach was detected on December 7, 2022, following which the team immediately revoked the compromised credentials. The company is already conducting an investigation to find out the potential impact on customers and internal systems. None of the compromised repositories contain customer data.

Out of the two Digicert certificates leaked, one already expired on January 4, 2023, and the other expires on February 1, 2023. The Apple Developer ID certificate is valid until 2027. As a preventive measure, the company is revoking all three of these certificates on February 2. While the Digicert certificates pose no threat, Github is working with Apple to monitor any new executable files that may be signed with the malicious certificate until February 2. 

According to an advisory issued by the company, repositories from their Atom, desktop and other deprecated Github-owned organisations were “cloned by a compromised Personal Access Token (PAT) associated with a machine account”. Github says there’s no evidence that there’s no evidence of the certificates being abused yet.

That said, revoking credentials means some versions of the Github desktop app will stop working. The following versions of Github Desktop for Mac will stop working on February 2:

  • 3.1.2
  • 3.1.1
  • 3.1.0
  • 3.0.8
  • 3.0.7
  • 3.0.6
  • 3.0.5
  • 3.0.4
  • 3.0.3
  • 3.0.2

The following Atom versions will also stop working on February 2:

  • 1.63.1
  • 1.63.0

Users will need to download older versions of Atom to keep using the editor. There’s no impact to Github Desktop for Windows at the moment.

In the News: Baidu plans to launch Chinese ChatGPT clone in March

>