[Suggestion] Hey everyone, this is as secure as you want it to be #92
Comments
|
I did it this way:
The least fear inducing way to generate proofs does feel like the above (although, it's needlessly paranoiad). Would be an idea to host the web based tool on GitHub Pages, but maybe the "barrier to entry" is intentional. 🤷🏾♂️ |
|
Well, It's safe so far using bash scripts. |
|
I am wondering whether I can first delete the public key (in GitHub Settings) and then utilize the corresponding private key to generate proof. If this is permissible, the process would be entirely secure. Even if a hacker manages to acquire my private key for proof, it would be futile since the corresponding public key for SSH authentication is no longer viable. |
|
The blob is a snapshot, so no matter what you do with your pub key on your github account, it won't change anything. |
|
@habaneraa If you want to make it as secure as possible, try to rotate all of your keys and remove the old public key from your Github account. |
|
Yes just rotate keys once complete. ...And maybe, optionally, backup your old one. |
Hi! I'm not related to this project at all, a friend sent me this and I thought I could help at least a little.
First of all, you're all right in being kinda paranoid, since you can get an information leak or even totally pwned by messing with containers if you don't know what you are doing. I don't know about the other methods, but this is what I did for him, though I do not make myself responsible for anyone doing silly things or not checking twice.
I suggested following these steps to my friend -> manual instructions, which are way more visually probable secure.
Through these steps
The short explanation for these steps is that inside the metadata.bin, you have this sort of "challenge", associated with every eligible GitHub account. It is being done via those accounts' public keys since it is public information. For example, mine are github.com/mattaereal.keys.
This type of thing is a security measure to prevent people from getting usernames squatted, among other things.
Only the right holders of the ssh private key to that public ssh key are the ones that will be able to decrypt this kind of "challenge". And this is the only way or situation where you're going to use your private key, to use the command line
ageto decrypt that kind of information.Then, if I'm not mistaken, since it's reusing Merkle proofs to validate this "challenge" has been solved, it created a temporary address with its respective private key, which is embedded inside the decrypted "challenge" and used to generate this proof. In the last commands, the second time you must provide information of your own is when you are asked to select your Ethereum address which is where you will receive the tokens.
And that would be it.
In the case of my friend, I did everything as the instructions suggested except I never introduced my ssh key in the container, and I just ran the command age on my host because I had it already installed. Pasted the decrypted data again into the container, and continued until I finished.
Again, I did this a few minutes ago and really really fast because I was leaving work, but I hope this clarifies a little. Am I only describing this situation because I saw many people from Latam trying to claim and right now that amount (if they were not to hold it) is a lot for underdeveloped countries. So I hope everyone who needs this may find a way to claim it.
Cheers.
The text was updated successfully, but these errors were encountered: