[guardian-dev] ALERT: matrix.org compromised, change your IRC passwords

Marcus Hoffmann bubu at bubu1.eu
Fri Apr 12 07:53:49 EDT 2019 

On April 12, 2019 12:40:58 PM GMT+02:00, Hans-Christoph Steiner <hans at guardianproject.info> wrote:
>
>Also, more bad news: it seems they kept their GPG signing key for their
>Debian packages online:
>
>https://github.com/matrix-org/matrix.org/issues/364
>
>You should immediately remove the riot Debian repo since the install
>process of deb packages runs things as root.  You can see whether your
>Debian-ish machine has this repo by doing:
>
>$ grep riot.im /etc/apt/sources.list /etc/apt/sources.list.d/*
>
>.hc
>
>Abel Luck:
>> Also folks:
>> 
>> If you still have Riot open and it hasn't logged you out yet, you
>need
>> to export your E2E room keys so you don't lose your chat history.
>> 
>> Click your profile icon in the top left
>> Choose settings, then security
>> Click export E2E room keys
>> Create a new secure password you store in your password manager to
>> encrypt the keys with
>> Save them and await for the service to come back so you can import
>them
>> again
>> 
>> ~abel
>> _______________________________________________
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>> To unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org
>> 
>
>-- 
>PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
>https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
>_______________________________________________
>List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>To unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org

More details in the already linked blog post:

>
This confirms that GPG keys used for signing packages were compromised. These keys are used for signing the synapse debian repository (AD0592FE47F0DF61), and releases of Riot/Web (E019645248E8F4A1). Both keys have now been revoked. The window of compromise for the keys started from April 4th; there have been no Synapse releases since then. There has been one release of Riot/Web (1.0.7), however as the key was passphrased and based on our initial analysis of the release, we believe it to be secure. 

Marcus

More information about the guardian-dev mailing list