private keys leaked?

[miguelangel-dev]

Even if these keys were used in the pilot, they should not be committed.

• RadarCovid/Supporting: pinning certs, and private keys are exposed here.
• RadarCovid/Config: endpoints together hardcoded pre/pro keys.

They have been compromised, so:

1. .gitignore should be updated accordingly, adding these 2 rules, and removing the current ones.
2. Certs rotation should be done after reviewing Android app.

[alvaro-octal]

Both directories only contain public keys

[miguelangel-dev]

Yep, you are right, I have reviewed it again, and it seems to be public.