Description
The .env.example file contains what appears to be a real RSA private key
and worker secret used as example values rather than placeholder strings.
Specifically:
- Line with
WORKER_RUNS_PRIVATE_KEY contains a base64-encoded value that
decodes to a valid -----BEGIN RSA PRIVATE KEY----- block
- Line with
WORKER_SECRET contains a real 256-bit secret value
Risk
Any operator who copies these values directly into their production .env
without generating new keys will be running with publicly known credentials.
An attacker with access to this repo can use these keys to authenticate as
a worker to any Lightning instance using the example values.
Suggested Fix
Replace the real key material with generation instructions:
# WORKER_RUNS_PRIVATE_KEY="generate with: mix lightning.gen_worker_keys"
# WORKER_SECRET="generate with: mix lightning.gen_worker_keys"
The DEPLOYMENT.md already documents mix lightning.gen_worker_keys —
pointing to it from the .env.example is safer than providing real keys.
Steps to Verify
echo "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ..." | base64 -d
# Returns a valid RSA private key
Description
The .env.example file contains what appears to be a real RSA private key
and worker secret used as example values rather than placeholder strings.
Specifically:
WORKER_RUNS_PRIVATE_KEYcontains a base64-encoded value thatdecodes to a valid
-----BEGIN RSA PRIVATE KEY-----blockWORKER_SECRETcontains a real 256-bit secret valueRisk
Any operator who copies these values directly into their production
.envwithout generating new keys will be running with publicly known credentials.
An attacker with access to this repo can use these keys to authenticate as
a worker to any Lightning instance using the example values.
Suggested Fix
Replace the real key material with generation instructions:
The DEPLOYMENT.md already documents
mix lightning.gen_worker_keys—pointing to it from the
.env.exampleis safer than providing real keys.Steps to Verify