GitHub revokes several certificates after unauthorized access
In a call to action, GitHub warned users of GitHub Desktop for Mac and Atom that it will revoke certificates which were exposed during unauthorized access to a set of repositories used in the planning and development of GitHub Desktop and Atom. Revoking these certificates will invalidate some versions of GitHub Desktop for Mac and Atom.
Mitigation
Users of GitHub Desktop for Mac and Atom will need to take action before February 2, 2023. There will be no impact to GitHub Desktop for Windows.
The affected versions of Atom are 1.63.0 and 1.63.1. To keep using Atom, users will need to download a previous Atom version. There is and will be no newer version, since Atom has not had significant feature development for the past years and sunset was announced for December 15, 2022.
Affected versions of GitHub Desktop for Mac are 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2. Users of these versions are asked to update to the latest version of Desktop.
Certificates
CertificatesĀ are used to verify the author of the software or code. By revoking a certificate it can no longer be used to sign new code. Revoking these certificates does not put existing installations of the Desktop and Atom apps at risk.
Even though the certificates were password-protected and there has been no evidence of malicious use, GitHub does not want to take the risk of a threat actor signing unofficial applications with these certificates and pretend that they were officially created by GitHub.
To prevent that from happening, GitHub will revoke three specific certificatesātwo Digicert code signing certificates used for Windows and one Apple Developer ID certificate. The Digicert certificates had a short lifespan left and as a result they would have been unusable to sign code after February 2, 2023 anyway. The Apple Developer ID certificate is valid until 2027.
Why?
On December 7, 2022, GitHub detected unauthorized access to a set of repositories used in the planning and development of GitHub Desktop and Atom. After investigation, no unauthorized changes were found, but a set of encrypted code signing certificates were exfiltrated. During the unauthorized access which took place on December 6, 2022, repositories from the Atom, Desktop, and other deprecated GitHub-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account.
GitHub actions
Besides a thorough investigation and revoking the three certificates, GitHub has removed the two affected versions of the Atom app (1.63.0-1.63.1) from the releases page. They are also working with Apple to monitor for any new executable files (like applications) signed with the exposed Apple Developer ID certificate until said certificate is revoked on February 2.