vscodium icon indicating copy to clipboard operation
vscodium copied to clipboard
verified publisher icon VSCodium

SSL cert for https://downloads.vscodium.com is signed by invalid authority

Open trisweb opened this issue 1 year ago • 24 comments

Describe the bug The current SSL certificate for https://downloads.vscodium.com was created on March 29th, 2025, and expires on the same in 2026, however the certificate authority is invalid and untrusted by most clients.

"net::ERR_CERT_AUTHORITY_INVALID"

Please confirm that this problem is VSCodium-specific

  • [x] This bug doesn't happen if I use Microsoft's Visual Studio Code. It only happens in VSCodium.

Please confirm that the issue/resolution isn't already documented

To Reproduce Steps to reproduce the behavior:

  1. Go to https://download.vscodium.com
  2. Observe net::ERR_CERT_AUTHORITY_INVALID certificate security error

Alternatively, update from the mirrored debian repository hosted on https://download.vscodium.com/ and see error:

E: Failed to fetch https://download.vscodium.com/debs/dists/vscodium/InRelease Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?) E: The repository 'https://download.vscodium.com/debs vscodium InRelease' is no longer signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default.

Expected behavior Self-expanatory

Edit Apr-5: I had "downloads" rather than download above, so when testing still received an invalid cert. Updating for posterity.

trisweb avatar Mar 30 '25 17:03 trisweb

@PalinuroSec

daiyam avatar Mar 30 '25 18:03 daiyam

The vscodium.com domain appears to have expired and DNS NS has switched from registrar-servers.com to bodis.com.

bdube avatar Mar 30 '25 20:03 bdube

Not good at all! I've sent an email to @PalinuroSec. (He has the control on the domain name and he's the team leader of ParrotSec)

@bdube Thx for catching the domain name expiration...

daiyam avatar Mar 30 '25 21:03 daiyam

The domain now appears to be blocked by the ADGuard list.

strasharo avatar Mar 31 '25 10:03 strasharo

The domain now appears to be blocked by the ADGuard list.

Not the domain itself, but the CNAME it points to (bodis.com), as it's a monetization service.

cadusilva avatar Mar 31 '25 10:03 cadusilva

bodis.com is a parking service which is used since the domain name is its grace period.

Last year, we had the same issue, it took several days to get it sorted out (#1840) I've already asked if I can buy the domain name.

daiyam avatar Mar 31 '25 11:03 daiyam

Oops, I created a kind of duplicate: https://github.com/VSCodium/vscodium.github.io/issues/96

devloberto avatar Mar 31 '25 14:03 devloberto

Last year, we had the same issue...

So we can expect one or more repetitions in the future. This bodes well.

madeddy avatar Mar 31 '25 22:03 madeddy

still occurs!

W: Failed to fetch https://download.vscodium.com/debs/dists/vscodium/InRelease  Could not connect to download.vscodium.com:443 (199.59.243.228). - connect (113: No route to host)

mbnoimi avatar Apr 01 '25 04:04 mbnoimi

bodis.com is a parking service which is used since the domain name is its grace period.

Last year, we had the same issue, it took several days to get it sorted out (#1840) I've already asked if I can buy the domain name.

Just a bit curious, but how could this happen? Is automatic domain renewal not activated maybe?

Macleykun avatar Apr 01 '25 06:04 Macleykun

we had an issue with out card that refused all the renewals for our infra, including the vscodium domain.

maintaining the domain and the download cdn for this project is a form of donation i'm committed to and a reason to be proud of, but these small incidents have a big impact to the project and i'm very sorry for that.

now the domain got renewed correctly and works again for me, please let me know if the new records are working again for you as well.

p.s. i would like to remind you that i am not the owner of this project, and the actual owners are free to ask for the domain transfer code whenever they like.

PalinuroSec avatar Apr 01 '25 12:04 PalinuroSec

Just a bit curious, but how could this happen? Is automatic domain renewal not activated maybe?

yes, auto-renewal is on. the reason why the payment was declined is to be investigated, as the balance was there and the renewal went well the previous years.

also we got no email alert from namecheap except for one message that went to spam for failed domain verification

PalinuroSec avatar Apr 01 '25 13:04 PalinuroSec

Thanks @PalinuroSec, it happens.

I'd chip in for 5 years if you want to just put some insurance on it for a while.

trisweb avatar Apr 01 '25 13:04 trisweb

that would be nice. actually i was thinking of moving the domain off namecheap and migrate it to infomaniak, where it would be possible to create an organization just for vscodium and allow multiple people to manage its assets, so to avoid single points of failure

PalinuroSec avatar Apr 01 '25 13:04 PalinuroSec

that would be nice. actually i was thinking of moving the domain off namecheap and migrate it to infomaniak, where it would be possible to create an organization just for vscodium and allow multiple people to manage its assets, so to avoid single points of failure

Another one I can recommend is porkbun! It also has the ability to share the access with other users :) ! Source: https://kb.porkbun.com/article/242-subaccounts-vs-authorized-users

Macleykun avatar Apr 01 '25 13:04 Macleykun

maintaining the domain and the download cdn for this project is a form of donation i'm committed to and a reason to be proud of, but these small incidents have a big impact to the project and i'm very sorry for that.

Hi all,

  1. Currently in Kenya — my updates are going through. It may take a few more moments but I am sure in time all people will be able to access the domain.

(But it is unstable

dnf install marble

Updating and loading repositories: download.vscodium.com 100% | 716.0 B/s | 2.2 KiB | 00m03s Librepo error: repomd.xml GPG signature verification error: Error during parsing OpenPGP packets

  1. VSCode is so good that people using vscodium will be many.
  2. Namecheap may be good but maybe there are better solutions — and this is a political/religious/editor war level argument.
  3. xkcd was right

That said I see @trisweb has committed to fund 5 years of domain registration — could you/@VSCodium consider a project/foundation/parent group to actually collect even lower donations and track them so that this never happens again (while VScode is relevant). Maybe even @microsoft would be open to support it?

nindogo avatar Apr 01 '25 19:04 nindogo

For those interested, I've made a new repo for Linux. Please read #2296. Thx

daiyam avatar Apr 02 '25 13:04 daiyam

... migrate it to infomaniak, where it would be possible... allow multiple people to manage its assets, so to avoid single points of failure

Another one...porkbun! It also has the ability to share the access with other users...

Thats IMO the most logical idea so far to smooth stuff out and security. I see for now only advantages if we don't ask for the price.

madeddy avatar Apr 05 '25 10:04 madeddy

Checking back on this.

I see vscodium.com is back, and download.vscodium.com now works again as well.

Reiterating my offer to contribute to a longer domain renewal, but I'm happy to wait until the domain is in the right home. Or whatever is easiest if there's already a general donation process. Thanks!

trisweb avatar Apr 05 '25 12:04 trisweb

For those interested, I've made a new repo for Linux.

I'm wondering why you created a new repository. It seems that you are part of the vscodium team. IMHO there should be only one trustworthy repository under a trustworthy domain. I mean thanks for your effort, but users can't rely on any random repository that pops up when the main one breaks. Sorry for being so negative. I'm very grateful for all the work behind vscodium, but it seems that the domain ownership is quite chaotic and I'm wondering if we can trust the project, after all we have seen that happened to liblzma / xz.

sedrubal avatar Apr 05 '25 13:04 sedrubal

@sedrubal I understand the problem.

But as I said, vscodium.com is owned and controlled by @PalinuroSec which is the team leader of ParrotSec. I don't think there is any security issue there.

For me, it has been 4 years that I'm the main maintainer and I'm not hidden behind a false name. The source code of the project are available The binaries are fully generated by the GitHub Actions (to avoid any shenigans). So you are free to audit the project and make your own opinion :wink:

I've built the new repository because:

  • recurrent downtime with the CDN and domain name (when not paid)
  • the old repository doesn't support all the platforms due to file limitations of GitLab (same as for GitHub)
  • I control vscodium.dev (so if there is any issue I can act on it)

daiyam avatar Apr 05 '25 13:04 daiyam

why don't we let both vscodium.com and vscodium.dev point to github pages and mirror the same content? we might even do the same for the repository by using the gitlab artifacts pages? both github and gitlab already provide their assets through a CDN, so we could avoid paying for an extra layer yet preserving the same domain functionality

PalinuroSec avatar Apr 07 '25 13:04 PalinuroSec

why don't we let both vscodium.com and vscodium.dev point to github pages and mirror the same content?

Yep, I was thinking the same.

we might even do the same for the repository by using the gitlab artifacts pages?

Currently, the gitlab repo can't include the arm32 version due to the limitation of 1GB for GitLab Pages. All the .deb and .rpm amount to 1.4GB

daiyam avatar Apr 07 '25 13:04 daiyam

  • recurrent downtime with the CDN and domain name (when not paid)

#2332

daiyam avatar Apr 19 '25 08:04 daiyam

This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment, and we'll keep it open. If you have any new additional information, please include it with your comment!

github-actions[bot] avatar Nov 11 '25 01:11 github-actions[bot]