The machine hosting the ROS 1 build farm was compromised (possibly via a vuln in the Jenkins Groovy plugin), with sufficient privilege escalation to access the GPG keys for signing packages in the ROS repository. Keys were rotated and a full rebuild was triggered.
- "we are unlikely to ever be able to completely rule out malicious interference in the ROS binary packaging pipeline"
- Unsupported ROS distros that previously had binary packages were moved to a different repo with unique keys
- Users needed to rotate public keys manually on the client side
- Downstream users needed to update their Dockerfiles and Travis/GitLab CI files
Attack Chaining via Trust & Signing, Publishing Infrastructure and Dev Tooling - Build farm compromise with access to private keys used for repo