Security issue on ROS build farm

The machine hosting the ROS 1 build farm was compromised (possibly via a vuln in the Jenkins Groovy plugin), with sufficient privilege escalation to access the GPG keys for signing packages in the ROS repository. Keys were rotated and a full rebuild was triggered.

Impact

“we are unlikely to ever be able to completely rule out malicious interference in the ROS binary packaging pipeline”
Unsupported ROS distros that previously had binary packages were moved to a different repo with unique keys
Users needed to rotate public keys manually on the client side
Downstream users needed to update their Dockerfiles and Travis/GitLab CI files

Type of compromise

Attack Chaining via Trust & Signing, Publishing Infrastructure and Dev Tooling - Build farm compromise with access to private keys used for repo

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.