Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[beta] Backport GitHub RSA key revocation #11892

Merged
merged 2 commits into from
Mar 26, 2023
Merged

[beta] Backport GitHub RSA key revocation #11892

merged 2 commits into from
Mar 26, 2023

Conversation

ehuss
Copy link
Contributor

@ehuss ehuss commented Mar 26, 2023

Backports for 1.69.0:

@bors @ehuss
Auto merge of rust-lang#11883 - mitsuhiko:feature/new-github-rsa-host…
1db53cb 
…-key, r=arlosi

Added new GitHub RSA Host Key

GitHub rotated their RSA host key which means that cargo needs to update it.  Thankfully the other keys were not rotated so the impact depends on how cargo connected to github.

Refs https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
@bors @ehuss
Auto merge of rust-lang#11889 - est31:revoke_old_github, r=ehuss
d2a187b 
Add the old github keys as revoked

The patch to update the bundled ssh github host key did not change anything for users who already had connected to github one time before via ssh: if the attacker had access to the old key, they'd be vulnerable to MITM attacks as their known_hosts file would list the old github key. Only if they connected again to github without attacker access, or if they saw the announcement of the key rotation, they would update their key.

There is sadly no other way to distribute revocations of old host keys to clients other than to bundle them with client software.

cc rust-lang#11883
@rustbot
Copy link
Collaborator

rustbot commented Mar 26, 2023

r? @weihanglo

(rustbot has picked a reviewer for you, use r? to override)

@rustbot
Copy link
Collaborator

rustbot commented Mar 26, 2023

⚠️ Warning ⚠️

  • Pull requests are usually filed against the master branch for this repo, but this one is against rust-1.69.0. Please double check that you specified the right target!

@rustbot rustbot added A-git Area: anything dealing with git S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Mar 26, 2023
@weihanglo
Copy link
Member

Thanks!

@bors r+

@bors
Copy link
Collaborator

bors commented Mar 26, 2023

📌 Commit d2a187b has been approved by weihanglo

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Mar 26, 2023
@bors
Copy link
Collaborator

bors commented Mar 26, 2023

⌛ Testing commit d2a187b with merge 713164a...

@bors
Copy link
Collaborator

bors commented Mar 26, 2023

☀️ Test successful - checks-actions
Approved by: weihanglo
Pushing 713164a to rust-1.69.0...

@bors bors merged commit 713164a into rust-lang:rust-1.69.0 Mar 26, 2023
@weihanglo weihanglo mentioned this pull request Mar 27, 2023
Merged
bors added a commit to rust-lang-ci/rust that referenced this pull request Mar 27, 2023
@bors
Auto merge of rust-lang#109653 - weihanglo:beta-1.69-backport, r=weih…
6664087 
…anglo

[beta-1.69-cargo] Backport GitHub RSA key revocation

1 commits in 7b18c85808a6b45ec8364bf730617b6f13e0f9f8..713164a40962a0a76c7f3ad8aafb6f03410e21d2
2023-03-17 12:29:33 +0000 to 2023-03-26 20:05:25 +0000
- [beta] Backport GitHub RSA key revocation (rust-lang/cargo#11892)
@ehuss ehuss added this to the 1.69.0 milestone Apr 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weihanglo weihanglo weihanglo approved these changes

Assignees

@weihanglo weihanglo

Labels
A-git Area: anything dealing with git S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Milestone
1.69.0
Development

Successfully merging this pull request may close these issues.
4 participants
@ehuss @rustbot @weihanglo @bors