feat(secret): remove Validator/Verifier secret keys from repository #2033
Conversation
outSH
requested review from
petermetz,
takeutak,
izuru0 and
jagpreetsinghsasan
as code owners
|
| GitGuardian id | Secret | Commit | Filename | |
|---|---|---|---|---|
| - | Elliptic Curve Private Key | cf1c07b | packages-python/cactus_validator_socketio_indy/sample-CA/connector.priv | View secret |
| - | Elliptic Curve Private Key | cf1c07b | packages/cactus-plugin-ledger-connector-fabric-socketio/sample-config/CA/connector.priv | View secret |
| - | Elliptic Curve Private Key | cf1c07b | packages/cactus-plugin-ledger-connector-go-ethereum-socketio/sample-config/CA/connector.priv | View secret |
| - | Elliptic Curve Private Key | cf1c07b | packages/cactus-plugin-ledger-connector-sawtooth-socketio/sample-config/CA/connector.priv | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Our GitHub checks need improvements? Share your feedbacks!
outSH
force-pushed
the
remove_hardcoded_keys_pr
branch
from
037100e to
4ec5b88
Compare
There was a problem hiding this comment.
@outSH The CI script is complaining that pull request title " feat(secret): remove Validator/Verifier secret keys from repository" isn't following the convention. It appears there is a leading space character before 'feat'. Can you fix this?
@jagpreetsinghsasan
There is also a test that failed (GitGuardian Security Checks), but I suspect that this is a false positive. It is complaining that there are four secret keys in this PR, but this PR is removing those files. So I don't understand why it is complaining. Can you investigate this problem? thanks.
This is happening because the PR has 3 commits within, where the most earliest commit do contains crypto material. I am sure that a squash merge of the 3 commits shall resolve this. |
ah you are totally right. Thanks for correction. |
packages/cactus-plugin-ledger-connector-fabric-socketio/package.json
Outdated
Show resolved
Hide resolved
outSH
changed the title
@petermetz Thanks for the review :) There's still one dependency that needs to me merged first - #2030. I will do the squash after that |
|
This PR/issue depends on: |
outSH
force-pushed
the
remove_hardcoded_keys_pr
branch
from
88c499a to
db4001c
Compare
|
@petermetz @izuru0 @takeutak This could be merged but |
There was a problem hiding this comment.
@outSH LGTM, thank you!
@petermetz @izuru0 @takeutak This could be merged but GitGuardian Security Checks complains about keys that were removed by this PR. Do you have any solution for this, or can this be ignored and merged with failing check anyway?
Yes, in my opinion.
The Git Guardian checks are experimental for now because the ignore patterns are something that is not yet fully configurable and the examples/test code trips it up sometimes (like in this case).
So we are good to merge IMO, regardless of the GitGuardian check. Once we figured out all the details of how to make it work properly, we can set it up so that it becomes a hard stop for merging PRs, but that will only happen in the future.
- Remove validator sample CA keys hardcoded inside the repository. - Generate fresh ECDSA keys when starting up electricity-trade or discounted-asset-trade sample apps. - Add support for RSA CA keys in fabric-socketio validator. I couldn't find any trivial way of generating ECDSA self-signed certificate (without calling openssl cmdline, which seems poor from functional test perspective), so I've added support for RSA keys to simplify the tests. - Allow selection of jwt algorithm in fabric-socketio validator. It must correspond to the key used. - Update the READMEs, add short description of SSL config option of fabric-socketio validator. Closes: 2016 Closes: 2017 Depends on: 1977 Depends on: 2030 Signed-off-by: Michal Bajer <michal.bajer@fujitsu.com>
petermetz
force-pushed
the
remove_hardcoded_keys_pr
branch
from
db4001c to
cf1c07b
Compare
|
FYI: I disabled the git guardian check being required for now. |
or discounted-asset-trade sample apps.
I couldn't find any trivial way of generating ECDSA self-signed certificate
(without calling openssl cmdline, which seems poor from functional test perspective),
so I've added support for RSA keys to simplify the tests.
It must correspond to the key used.
Closes: #2016
Closes: #2017
Depends on #1977
Depends on #2030
Signed-off-by: Michal Bajer michal.bajer@fujitsu.com
I've included commits from the dependencies to simplify the review before they're merged to main. Please review only the last commit: feat(secret): remove Validator/Verifier secret keys from repository