Github Recovery_CERTIFICATE_PASSWORD

Question

Github Recovery_CERTIFICATE_PASSWORD

Closed this issue 3 years ago · 5 comments

Hello Rexiox80,

GitHub is a truly awesome service but to put any sensitive data like SSL certificate path, password with CN number make visible on GitHub create vulnerability for end to end communication, which might create man in the middle attack.

Please find the below link;
https://github.com/Rexios80/Health-Data-Server-Overlay.git

POC:

certificate_path: windows\fluttercertificate.pfx

110 | certificate_password: f>G@wtohG7]Y
111 | publisher: CN=3DC3FAF1-ABA5-4AAC-856A-275AF0D1C0B4

Regards,
Tushar Sawant
sawant.t.23@gmail.com
+91-9561345722

Answer 1 · 2021-05-02T16:19:59.000Z

If you can figure out how to use environment variables to get that done in the pubspec and GitHub Actions be my guest

Answer 2 · 2021-05-02T16:22:05.000Z

Also it’s not used for communication just signing. And the Microsoft store signs with a different certificate anyways I’m pretty sure.

Answer 3 · 2021-05-02T16:36:08.000Z

Actually there's a way to run the msix generation command with parameters. I'll just get it done.

Answer 4 · 2021-05-02T17:30:51.000Z

Generated a new certificate with a different password and used GitHub secrets to store them

Answer 5 · 2021-05-02T17:45:10.000Z

That sounds great.

…

On Sun, 2 May, 2021, 11:01 pm Rexios80, ***@***.***> wrote: Generated a new certificate with a different password and used GitHub secrets to store them — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#56 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ARSR2UCKSJ24YPRJDKW2LXLTLWD5TANCNFSM437IQZCQ> .