-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: private key formats #59
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this might be good to have in the SDK as any plugin which needs access to funds will need it.
It makes it easier for plugin devs to be bad actors, swap out prod workers for malicious ones and logging PKs etc but that's a partner's choice to use unofficial plugins I guess isn't it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The decrypt functions should be exported in src/index.ts if we want to use it in conversation-rewards
Fixed 114a9cf |
Related to ubiquity-os/ubiquity-os-kernel#104
Right now there is an issue when a malicious partner can copy other partner's encrypted private key and use it in its own organization.
This PR introduces 3 private key formats:
PRIVATE_KEY
PRIVATE_KEY:GITHUB_ORGANIZATION_ID
PRIVATE_KEY:GITHUB_ORGANIZATION_ID:GITHUB_REPOSITORY_ID
You may read how they're supposed to be used here.
The next step is to validate organization and repository in the https://github.com/ubiquibot/conversation-rewards plugin if they are allowed to be used in the organization/repository where original issue was called from.