Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Lets not forget that certificates are created and checked for github.com, so unlikely for a middleman to get in.

What?

Don't assume that the APKs are generated by GitHub's CI, anyhow, anything can be uploaded as a release



A great example of this would be the XZ backdoor, which never got commited to the source tree, but got implanted in the release tarballs, which were built on the attacker's systems


Github should provide a certificate when binaries are built from source with their tools.


They added something to verify if the binary came out of their CI only a few months ago; I haven't checked now, but it seemed extremely convoluted

In any case, there's for sure no GitHub certificate added to the APKs


NPM has support for github CI provenance. So you can verify that the package on npm was built on the github actions of the repo mentioned in npm.


I saw, nice

It seems to not check it automatically, though?


Yeah, you have to set provenance flag to true.

  - uses: JS-DevTools/npm-publish@v2
  with:
      token: ${{ secrets.NPM_TOKEN }}
      access: public
      provenance: true
For example




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: