GitHub has rotated its private SSH key for GitHub.com after the secret was was accidentally published in a public GitHub repository.
The software development and version control service says, the private RSA key was only “briefly” exposed, but that it took action out of “an abundance of caution.”
Unclear window of exposure
In a succinct blog post published today, GitHub acknowledged discovering this week that the RSA SSH private key for GitHub.com had been ephemerally exposed in a public GitHub repository.
“We immediately acted to contain the exposure and began investigating to understand the root cause and impact,” writes Mike Hanley, GitHub’s Chief Security Officer and SVP of Engineering.
“We have now completed the key replacement, and users will see the change propagate over the next thirty minutes. Some users may have noticed that the new key was briefly present beginning around 02:30 UTC during preparations for this change.”
The timing of the discovery is interesting—just weeks after GitHub rolled out secrets scanning for all public repos.
GitHub.com’s latest public key fingerprints are shown below. These can be used to validate that your SSH connection to GitHub’s servers is indeed secure.
As some may notice, only GitHub.com’s RSA SSH key has been impacted and replaced. No change is required for ECDSA or Ed25519 users.
SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ (DSA – deprecated)
“Please note that this issue was not the result of a compromise of any GitHub systems or customer information,” says GitHub.
“Instead, the exposure was the result of what we believe to be an inadvertent publishing of private information.”
The blog post, however, does not answer when exactly was the key exposed, and for how long, making the timeline of exposure a bit murky. Such timestamps can typically be ascertained from security logs—should these be available, and Git commit history.