code signing

GitHub has issued a warning about "unauthorized access to a set of repositories used in the planning and development of GitHub Desktop and Atom" in a hack that took place back in December.

Users are being advised to ensure that they install the latest updates for the affected software, but there is currently no suggestion that GitHub.com has been impacted. With the attackers having stolen code signing certificates, GitHub is revoking the certificates for some versions of Atom and GitHub Desktop on February 2, so users should update before this date.

Code signing certificates are an essential part of our software world. Every software update is signed with a unique machine identity, combining a time stamp with an encryption algorithm in the form of a x.509 certificate issued by a trusted certificate authority. This allows other machines to know they are authentic and can be trusted.

Developers sign their code with a private key, and an end-user uses the public key from that developer to validate that the code hasn’t changed since the developer signed it. If someone has altered the code, the signature will provide an untrusted alert, in the same way a website with an untrusted or expired certificate does with transport layer security (TLS) machine identities. Without this system of identity, it would be impossible to deliver software. Without this you couldn’t use Windows, Mac, or iPhone let alone fly on a modern Airbus or Boeing aircraft. And it’s quickly becoming the same way in the cloud-native world of Kubernetes.