[Important] Impact of codecov.io security issue on Kopia build pipeline

Today we were made aware of a security issue at codecov.io which is used during the automated build process of Kopia.

The breach at an external site may have impacted the integrity of our build process and may allow an attacker to impersonate our software signing credentials unless we revoke it. You can read more about it at Bash Uploader Security Update - Codecov

Since Kopia was using the affected script, out of abundance of caution we will revoke and re-generate all affected credentials, certificates, service accounts, GPG keys and we will re-release latest Kopia as v0.8.2 release using new signatures very soon.

There’s no indication that any of Kopia builds have actually been tampered with and there are no signs of malicious activity on Github or in any repositories we upload build artifacts to.

As soon as the new release is out we will unpublish all releases made during the period this breach was in effect.

Linux users will be required to import new GPG key to continue receiving updates from RPM and APT repositories, older macOS builds may stop working once the certificate revocation takes effect. Windows users should not be affected since they signing key is stored in hardware and not exposed to the CI/CD environment.

Please stay tuned for future updates.

1 Like

Thanks for the transparency.
Please do whatever needed in order to mitigate any theoretical issue, how unlikely they might seem.

Update:

We have released Kopia v0.8.2. It is a re-release of v0.8.1 which uses new signing certificate on macOS and new GPG signature for APT/RPM repository. We have also unpublished all prior v0.8 releases.

The GPG signing key has been republished. You need update it manually to continue receiving updated builds from APT/RPM repositories:

APT:

curl -s https://kopia.io/signing-key | sudo apt-key add -

RPM:

rpm --import https://kopia.io/signing-key

We also made improvements to the build process. It is now compartmentalized - we’re isolating each build tool and build phase from each other and only giving them minimum amount of credentials, which should reduce the impact of upstream breaches in the future.

2 Likes