CLI Certificate Key Exposure


Travis McPeak
 

CLI Certificate Key Exposure

September 15, 2016
What Happened?

The private keys used to sign the certificates for Mac and Windows CLI
installation packages may have been exposed, and have been rotated as a
precautionary measure.
How Did it Happen?

During a tooling upgrade performed by the Cloud Foundry CLI team on
September 7th (2016), typical authorization checks that restrict access to
sensitive material including credentials was removed. When the issue was
discovered two days later (Friday September 9th) all exposed secrets were
rotated. One rotated credential provided access to the system where the
signing key for CLI installers and binaries is stored. As a precaution the
key has been rotated and associated certificates have been revoked.
What Has Been Done to Correct the Issue?

-

The private keys used to sign installers and binaries have been rotated.
-

Apple and Comodo certificates using the old key have been revoked.
-

Installers and (Windows binary) for the latest version (6.21.0) have
been re-signed using the new key and are available on the standard release
page.
-

The CLI team will perform a retrospective to determine how similar
exposure will be prevented in the future.

What Actions Do I Need to Take as a User?

-

Windows binaries and installers will automatically begin validating
using the newly issued certificate - no user action is required.
-

Apple installers signed with an old version of the certificate will stop
working as of September 15, 2016. Please download a new version of the
installer and install normally.
-

Apple/Linux binaries and Linux installer packages are not currently
signed, so no user action is required.

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.