When you create an app in GitHub - you are required to create a private key so that you can sign requests on behalf of your app.
Sounds reasonable.
However... to create the private key, they require you to download the private key from them. Which means they have it. So ANY APP on GitHub can be impersonated by GitHub as they have the key material for every app... so what is the point?
1 comment
[ 780 ms ] story [ 19.4 ms ] threadSounds reasonable.
However... to create the private key, they require you to download the private key from them. Which means they have it. So ANY APP on GitHub can be impersonated by GitHub as they have the key material for every app... so what is the point?
Am I losing my mind?
edit: i can't edit the link - it should be https://github.com/settings/apps