Tell HN: GitHub Apps – Private key is not private(github.com)
1 pointby time4tea7 hours ago1 comment
  • time4tea7 hours ago
    When you create an app in GitHub - you are required to create a private key so that you can sign requests on behalf of your app.

    Sounds reasonable.

    However... to create the private key, they require you to download the private key from them. Which means they have it. So ANY APP on GitHub can be impersonated by GitHub as they have the key material for every app... so what is the point?

    Am I losing my mind?

    edit: i can't edit the link - it should be https://github.com/settings/apps

    • codingdave6 hours ago
      Well, first of all, them giving you the key doesn't prove they kept it. From all I know, it is discarded, not stored.

      But even if they do keep it, github owns their own platform. If they wanted to do shit with your app, they wouldn't need the key for that, they could just skip any security that required the key. At some point, you either trust github to securely host your stuff, or you don't.

      In any case, keys are for protection from 3rd parties and an audit trail of who did what, neither of which are invalidated by github having access to their own platform.

      • time4tea5 hours ago
        Hmm, not sure - the entire point of this sort of thing is that nobody should ever have your private key material. Whether they say they discard it is immaterial, they have had it, so they could use it, and then as far as everyone is concerned, they are you.

        Because the key is sent via the web, anyone in the way can see it. In lots of companies, trusts are manipulated so that the content is visible to intermediate proxies.

        With a private key that has been given to you by somebody else, it is possible to repudiate any transaction that was made with the key. Its not so much as they could skip any security - its that if they have the key, they don't have to.

        keys are protection from anyone, and an audit trail isn't useful when its possible to forge/repudiate literally anything.

        imagine if your card pin was also written down in the card factory - you'd be suspicious that anyone can withdraw money from your account - and the bank would say 'ah but only you know it'. In fact this did happen - the bank was only issuing 3 different pin numbers.