Skip to content

chore(security): ignore .updater-key-password Tauri signing passphrase#302

Open
KooshaPari wants to merge 1 commit into
mainfrom
chore/security-gitignore-updater-secret
Open

chore(security): ignore .updater-key-password Tauri signing passphrase#302
KooshaPari wants to merge 1 commit into
mainfrom
chore/security-gitignore-updater-secret

Conversation

@KooshaPari

Copy link
Copy Markdown
Owner

Summary

The Tauri updater private-key passphrase was sitting untracked in src-tauri/.updater-key-password with no .gitignore coverage.

Risk

Anyone with access to a stale git-status or git-add -A run could inadvertently commit it, leaking the passphrase that decrypts the updater private key (the sibling half updater.key.pub is intentionally committed because it's a public key).

Fix

Add to root .gitignore so future clones/commits skip it.

Refs: BytePort-audit.json §L5 (security)

The Tauri updater private-key passphrase was sitting untracked in
src-tauri/.updater-key-password with no .gitignore coverage.

Risk: anyone with access to a stale git-status or git-add -A run could
inadvertently commit it, leaking the passphrase that decrypts the
updater private key (which IS committed as the non-secret sibling
updater.key.pub).

Fix: add to root .gitignore so future clones/commits skip it. Public
half of the key (updater.key.pub) is already in .gitignore's sibling
section and stays that way.

No other behavior changes. No files moved or renamed.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@sonarqubecloud

sonarqubecloud Bot commented Jul 4, 2026

Copy link
Copy Markdown

Comment thread .gitignore
*.local
*.pem
*.key
*.password

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SUGGESTION: *.password does not match the target secret and is broader than needed

The secret named in the PR is .updater-key-password, which has no .password extension, so this glob does not actually cover it — protection for that file comes entirely from the .updater-key* pattern on line 65. This glob is also broad: it would silently ignore any future tracked file ending in .password (e.g. a test fixture db.password). Consider removing *.password, or scoping it to the real target so the ignore is intentional and auditable.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

@kilo-code-bot

kilo-code-bot Bot commented Jul 7, 2026

Copy link
Copy Markdown

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 0
SUGGESTION 1
Issue Details (click to expand)

SUGGESTION

File Line Issue
.gitignore 64 *.password does not match the target .updater-key-password (no .password extension) and is broader than needed; the actual protection comes from .updater-key* on line 65.
Files Reviewed (1 file)
  • .gitignore - 1 issue

Considerations

  • .gitignore only prevents future commits. If .updater-key-password (or the updater private key) was ever committed and later deleted, it still lives in git history and .gitignore won't remove it. Verify with git log --all -- src-tauri/.updater-key-password (and the key path); if any history exists, rotate the updater key + passphrase, since .gitignore is not a remediation for an already-leaked secret.
  • .updater-key* is broad by design and correctly excludes the public updater.key.pub (no leading dot), so the public key stays committable as intended. Confirm no legitimate tracked dotfile matches .updater-key* that the build needs.

Fix these issues in Kilo Cloud


Reviewed by hy3-20260706:free · Input: 54.3K · Output: 9.1K · Cached: 72.6K

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant