Re: CLI Certificate Key Exposure

Travis McPeak

Two small corrections to the above note:

- The latest version of the installer and binary is 6.21.1
- The Windows binary and installer did not require re-signing to rotate
the certificate

On Thu, Sep 15, 2016 at 12:19 PM, Travis McPeak <tmcpeak(a)>

CLI Certificate Key Exposure

September 15, 2016
What Happened?

The private keys used to sign the certificates for Mac and Windows CLI
installation packages may have been exposed, and have been rotated as a
precautionary measure.
How Did it Happen?

During a tooling upgrade performed by the Cloud Foundry CLI team on
September 7th (2016), typical authorization checks that restrict access to
sensitive material including credentials was removed. When the issue was
discovered two days later (Friday September 9th) all exposed secrets were
rotated. One rotated credential provided access to the system where the
signing key for CLI installers and binaries is stored. As a precaution the
key has been rotated and associated certificates have been revoked.
What Has Been Done to Correct the Issue?


The private keys used to sign installers and binaries have been

Apple and Comodo certificates using the old key have been revoked.

Installers and (Windows binary) for the latest version (6.21.0) have
been re-signed using the new key and are available on the standard release

The CLI team will perform a retrospective to determine how similar
exposure will be prevented in the future.

What Actions Do I Need to Take as a User?


Windows binaries and installers will automatically begin validating
using the newly issued certificate - no user action is required.

Apple installers signed with an old version of the certificate will
stop working as of September 15, 2016. Please download a new version of
the installer and install normally.

Apple/Linux binaries and Linux installer packages are not currently
signed, so no user action is required.

Join to automatically receive all group messages.