GitHub has rotated its private RSA key for GitHub.com after the key was accidentally exposed in a public GitHub repository.
The company says that the private key was only exposed briefly, but it has taken action as a precaution. It is unclear when exactly the key was exposed, and for how long, making the timeline of exposure a bit murky. GitHub has completed the key replacement, and users will see the change propagate over the next thirty minutes.
It has “no reason to believe” that the exposed key was abused, and rotated the key “out of an abundance of caution.”
Although GitHub has changed the private SSH keys, multiple documents and software projects, including those by GitHub, continue to use the SSH fingerprint of its now-revoked key.
As such, users should update their ~/.ssh/known_hosts file with GitHub’s new key fingerprint, otherwise, they may see security warnings when making SSH connections.
When receiving such warnings, users should ensure the fingerprint seen on their screen matches the one for GitHub.com’s latest key.
The timing of the discovery is interesting—just weeks after GitHub rolled out secrets scanning for all public repos.
The exposed RSA key in question does not grant access to GitHub’s infrastructure or customer data. The blog post, however, does not answer when exactly the key was exposed, and for how long, making the timeline of exposure a bit murky.
Such timestamps can typically be ascertained from security logs—should these be available, and Git commit history.
Rotating a private key once it has been leaked, no matter how ‘briefly,’ is any way a necessary step to protect users from adversaries who could potentially impersonate your server or eavesdrop on a user’s connection.
GitHub has further stated that “this issue was not the result of a compromise of any GitHub systems or customer information” and that “the exposure was the result of what we believe to be an inadvertent publishing of private information.”
Web traffic to GitHub.com and HTTPS Git operations are not affected.
