Today we were made aware of a security issue at codecov.io which is used during the automated build process of Kopia.
The breach at an external site may have impacted the integrity of our build process and may allow an attacker to impersonate our software signing credentials unless we revoke it. You can read more about it at Bash Uploader Security Update - Codecov
Since Kopia was using the affected script, out of abundance of caution we will revoke and re-generate all affected credentials, certificates, service accounts, GPG keys and we will re-release latest Kopia as v0.8.2 release using new signatures very soon.
There’s no indication that any of Kopia builds have actually been tampered with and there are no signs of malicious activity on Github or in any repositories we upload build artifacts to.
As soon as the new release is out we will unpublish all releases made during the period this breach was in effect.
Linux users will be required to import new GPG key to continue receiving updates from RPM and APT repositories, older macOS builds may stop working once the certificate revocation takes effect. Windows users should not be affected since they signing key is stored in hardware and not exposed to the CI/CD environment.
Please stay tuned for future updates.