N@uBlue Members let's talk here.
Bthanks, good call @Noel
EGood idea
Bso, summary of current state:
RYep - let's let Google index this disaster 
NDo we think it would be helpful to set up a call?
Bthe image signing key (cosign) is old... no one seems to have a copy, but it was a secret it github
it was reported that it may be getting leaked in a build
jorge changed the secret immediately, not remembering that it would cause upgrade issues
so now we are trying to find a copy
it was reported that it may be getting leaked in a build
jorge changed the secret immediately, not remembering that it would cause upgrade issues
so now we are trying to find a copy
RSlightly confused by
Private cosign keys were stored in GH secrets. If one of the legacy repos has it still stored as a secret, we can output the private key in a GHA job (after setting the repo to private)
i can look, but we can't recover...
Private cosign keys were stored in GH secrets. If one of the legacy repos has it still stored as a secret, we can output the private key in a GHA job (after setting the repo to private)
Bfinding a copy would let us restore the leaked key, to enable users to do clean upgrades
without that, users will need to do a rebase dance to upgrade
without that, users will need to do a rebase dance to upgrade
Blooking, i have access
Bbase repo has lo repo secretsNthis looks like a potential solution.
Bnot in base, ubuntu, or main
Nmaybe the cinnamon framework or budgie repos?
Nor any of the archived ones?
N
HI'm calling it, I have to make 
ujust resign a thing don't I after vacation? RIs it the same key Jorge used when the repo was in his user account? We might not have even had signing there
Edit: can't see the repo
Edit: can't see the repo
Xi think those are much newer, when we already had the org key
Byes, this
ESo at this point, we need to update the public key in our repositories and config and tell people to rebase to an unverified image and back to a signed image
NMate is from march 2023?
Bwe were already using org secrets by then
Byes, this, unless github support could rollback a secret change
Jcan someone file a ticket?
Jlet's try that
Nyeah, this would be the easiest.
Jwill catch up after this call
BI would guess only @j0rge or @MarcoCeppi had the key originally
Bi can file the ticket, since i'm an owner on org
NYou would think they might have a way to do this since this could be a very malicious thing to do to an org.
EThank you!
Nbut it's very possible they may say "you're on your own"
NOK, I would like to discuss where we want to go from here.
NI'll lay out 2 scenarios from where I'm sitting.
N- We recover the key
- We don't recover the key.
NWorst case scenario, we don't recover the key.
Bpause plz
Bwho filed the ticket with github about the secret compromise?
NI believe it would be Jorge?
EJorge
Bok... i can't see that one so was trying to get it for context. thank you
Bcarry on
NBasically what I'm trying to lay out is what is our game plan moving forward? It would be helpful to determine what we need to do in order in both cases.
HIf we can't recover the key, I have a regex for signing an image that can be reused to unsign too. I will dig it up and dm if I can't select the relevant part from phone if you guys need it.
Means you can use it and provide potentially a script to update people
Means you can use it and provide potentially a script to update people
EWould that be easier than just telling them to rebase back and forth?
NI think rebasing would be easier.
Xpretty slow, though
EYeah, we shouldn't need a script for this
