What are the security risks of CD in an open source project?

Question

In the processes of setting up continuous deployment for an open source project with Travis I came across a predicament, can the encrypted private key be easily exfilitrated? For context, the deployment workflow is:

1. In a Travis build job, build and test code
2. If it passes, deploy the code
3. Decrypt the encrypted private SSH key and start the SSH client
4. Push to the Git remote on the production server

Using travis encrypt-file deploy_rsa --add, the private key is encrypted and only decryptable within the Travis build job. Am I correct in the assumption that someone forking the repo and creating a Travis build job will not be able to decrypt the key? In addition, the only attack vector would be for someone with push rights to modify the .travis-ci script to decrypt the key and send it to themselves?

Answer 1

You essentially have three threats here:

1. Someone could modify .travis-ci and use that to exfiltrate the unencrypted key material.
2. You could accidentally check-in or publish the decrypted key material as part of your release process.
3. Someone could attempt to attack the encrypted key-material directly; this is very unlikely given modern practice and current computing power.

The challenge of secret management is common in open source projects; one approach I have taken in the past is to have a second "deploy" stage in a private repository and pipeline. A private repository and pipeline, then ring-fences the sensitive data from malicious actors entirely, protecting yourself from 1 and 3. You can safeguard against two by whitelisting files that can be checked in to decrease the probability of making a mistake.

Finally, an approach that can be used to increase the detectability of an attack is to store the key in AWS CloudHSM, Google Cloud HSM or Azure KeyVault with the goal of marking the private key as non-exportable and then handing off any encrypt, wrap or sign requests to the cloud. This means even if the credentials for the HSM/KeyVault do get exfiltrated you know every time they are used to sign something and can effectively revoke access to the key entirely. Unfortunately, there doesn't seem to be any way of doing this with SSH keys at the moment, however, it works will with code-signing certificates.