Skip to content

Instantly share code, notes, and snippets.

@guitarrapc
Last active May 26, 2024 18:45
Show Gist options
  • Save guitarrapc/8e6b68f21bc1eef8e7b66bde477d5859 to your computer and use it in GitHub Desktop.
Save guitarrapc/8e6b68f21bc1eef8e7b66bde477d5859 to your computer and use it in GitHub Desktop.
Get Thumbprint of GitHub OIDC, updated on 2022/01/13.
$ openssl s_client -servername token.actions.githubusercontent.com -showcerts -connect token.actions.githubusercontent.com:443 < /dev/null 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sed "0,/-END CERTIFICATE-/d" > certificate.crt
$ openssl x509 -in certificate.crt -fingerprint -noout | cut -f2 -d'=' | tr -d ':' | tr '[:upper:]' '[:lower:]'
6938fd4d98bab03faadb97b34396831e3780aea1
-----BEGIN CERTIFICATE-----
MIIE6jCCA9KgAwIBAgIQCjUI1VwpKwF9+K1lwA/35DANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0yMDA5MjQwMDAwMDBaFw0zMDA5MjMyMzU5NTlaME8xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS
U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a
qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn
g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW
raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB
Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r
eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBrjCCAaowHQYDVR0OBBYEFLdrouqo
qoSMeeq02g+YssWVdrn0MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFV
MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
EgYDVR0TAQH/BAgwBgEB/wIBADB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh
Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDB7BgNV
HR8EdDByMDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH
bG9iYWxSb290Q0EuY3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20v
RGlnaUNlcnRHbG9iYWxSb290Q0EuY3JsMDAGA1UdIAQpMCcwBwYFZ4EMAQEwCAYG
Z4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEBAHer
t3onPa679n/gWlbJhKrKW3EX3SJH/E6f7tDBpATho+vFScH90cnfjK+URSxGKqNj
OSD5nkoklEHIqdninFQFBstcHL4AGw+oWv8Zu2XHFq8hVt1hBcnpj5h232sb0HIM
ULkwKXq/YFkQZhM6LawVEWwtIwwCPgU7/uWhnOKK24fXSuhe50gG66sSmvKvhMNb
g0qZgYOrAKHKCjxMoiWJKiKnpPMzTFuMLhoClw+dj20tlQj7T9rxkTgl4ZxuYRiH
as6xuwAwapu3r9rxxZf+ingkquqTgLozZXq8oXfpf2kUCwA/d5KxTVtzhwoT0JzI
8ks5T1KESaZMkE4f97Q=
-----END CERTIFICATE-----
$ curl https://token.actions.githubusercontent.com/.well-known/openid-configuration
$ openssl s_client -servername token.actions.githubusercontent.com -showcerts -connect token.actions.githubusercontent.com:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.actions.githubusercontent.com
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.actions.githubusercontent.com
i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
-----BEGIN CERTIFICATE-----
MIIG9jCCBd6gAwIBAgIQCFCR4fqbkQJJbzQZsc87qzANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjAxMTEwMDAwMDBa
Fw0yMzAxMTEyMzU5NTlaMHsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxHaXRIdWIsIElu
Yy4xKDAmBgNVBAMMHyouYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcHl5GgNgXYUI5Zz085Ar9wSiI
gdDnOkaXof2u3pcJ1138Tlz6aheVqXfJ8MOAups0LTr9j/dTHAGWKQz0qdyUdYIJ
FwiOlkmphoP+a4xVJXbdVVN7qvmfV8f0YnG5oGVyx9hDl/30JReVIYPbC8JNSiIW
2jMYnjqPu41tPclNNroW9K8gJUzT/WE4LRHohOmR1GbC1xQ8YlFS6pFs+Xuznou8
TzO8PsXRdaDe/7pYZgR/Otv5XLY5siCBraMuxtj1g4Z/Tz8d2Z+sMPIxtHZjxmcu
LPfIix6cARSpJFgGF7Yh9vgLK9jEkgfuU1Nnshv7S6ylIn5SfHNToQjCRSPJAgMB
AAGjggOgMIIDnDAfBgNVHSMEGDAWgBS3a6LqqKqEjHnqtNoPmLLFlXa59DAdBgNV
HQ4EFgQUibMM9Yecb/WbuZDkxiGVR39k0QMwSQYDVR0RBEIwQIIfKi5hY3Rpb25z
LmdpdGh1YnVzZXJjb250ZW50LmNvbYIdYWN0aW9ucy5naXRodWJ1c2VyY29udGVu
dC5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjCBjwYDVR0fBIGHMIGEMECgPqA8hjpodHRwOi8vY3JsMy5kaWdpY2VydC5j
b20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTQuY3JsMECgPqA8hjpodHRw
Oi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0Ex
LTQuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6
Ly93d3cuZGlnaWNlcnQuY29tL0NQUzB/BggrBgEFBQcBAQRzMHEwJAYIKwYBBQUH
MAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBJBggrBgEFBQcwAoY9aHR0cDov
L2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTUlNBU0hBMjU2MjAyMENB
MS0xLmNydDAMBgNVHRMBAf8EAjAAMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcA
dQCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAX5IjyPvAAAEAwBG
MEQCIDxMGruNl33xLmOdh2UdMxA3aiuIX3vgeXSuXRce6sqBAiApoOxk2sfxfZdw
cMxXuM0B8bfgGiQ7IlG14wRa7KQioAB3ADXPGRu/sWxXvw+tTG1Cy7u2JyAmUeo/
4SrvqAPDO9ZMAAABfkiPI8kAAAQDAEgwRgIhAJJmNVWqVfFlQLdX8sbbQ9VmJA5K
28ldvwLQpnJopgFzAiEAsGYoIzVOBazT96kGYIuJ3k+Zya7PsFtPVyUbOom55PcA
dQCzc3cH4YRQ+GOG1gWp3BEJSnktsWcMC4fc8AMOeTalmgAAAX5IjyPnAAAEAwBG
MEQCIE0NMqwPjqYJwxYqrh7CVueH1rWvKYvRj8cvv3fr7Ku5AiBGFfeJ+Nsy3VCW
TAih+ito29SvJ0TJrDsyHy3PhkmZ6jANBgkqhkiG9w0BAQsFAAOCAQEAih09kwU8
8j/R3/xDkV/2Td/ZbgzUPrrjnMqL32Kv8zqPb0AnaOZbA9XqMuQimLDPqr7fTtKR
BRhXStaNT5s7zZm3g9P+Xsxl2XSiuTbR0Y9MOmfgWA0Jv3vw8zq/etdGBrV0stQ/
JB2GKteYl9hP7eOj0xaNg/ylaCDONG084lqVlugggmsW9RgN3zAESmALahezuzlN
G5asPhNDCIRyo3mm0hHCV4/Kvoura/bGVkc7Wkk6q/cplN5VCSq9wYk2ugEaxsc1
YeqXpxQtRVJTF/UtuNpWS+Tp1COx3DiaoTjCmEImSzYarfZ7QIMR9opxJEPAB52h
s/oLX5ruUXwvIw==
-----END CERTIFICATE-----
1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIE6jCCA9KgAwIBAgIQCjUI1VwpKwF9+K1lwA/35DANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0yMDA5MjQwMDAwMDBaFw0zMDA5MjMyMzU5NTlaME8xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS
U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a
qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn
g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW
raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB
Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r
eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBrjCCAaowHQYDVR0OBBYEFLdrouqo
qoSMeeq02g+YssWVdrn0MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFV
MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
EgYDVR0TAQH/BAgwBgEB/wIBADB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh
Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDB7BgNV
HR8EdDByMDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH
bG9iYWxSb290Q0EuY3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20v
RGlnaUNlcnRHbG9iYWxSb290Q0EuY3JsMDAGA1UdIAQpMCcwBwYFZ4EMAQEwCAYG
Z4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEBAHer
t3onPa679n/gWlbJhKrKW3EX3SJH/E6f7tDBpATho+vFScH90cnfjK+URSxGKqNj
OSD5nkoklEHIqdninFQFBstcHL4AGw+oWv8Zu2XHFq8hVt1hBcnpj5h232sb0HIM
ULkwKXq/YFkQZhM6LawVEWwtIwwCPgU7/uWhnOKK24fXSuhe50gG66sSmvKvhMNb
g0qZgYOrAKHKCjxMoiWJKiKnpPMzTFuMLhoClw+dj20tlQj7T9rxkTgl4ZxuYRiH
as6xuwAwapu3r9rxxZf+ingkquqTgLozZXq8oXfpf2kUCwA/d5KxTVtzhwoT0JzI
8ks5T1KESaZMkE4f97Q=
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.actions.githubusercontent.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3854 bytes and written 485 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 4C50FF4BC6477E099C9A4CACE6222BB0522842E9B123D53015D48486912CFE6C
Session-ID-ctx:
Master-Key: 886D9942CA50B8C12502A9FED7B65ADA854AF7E716A30BF3C4A635F24EEAFF636EDE536EA741A3A767107CE3C5FDDB04
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 36000 (seconds)
TLS session ticket:
0000 - 00 00 00 00 99 65 c2 71-5b 5c 53 4f 9b 4f 35 86 .....e.q[\SO.O5.
0010 - b3 82 a6 9e 4c e1 ae de-2f c1 33 df 99 53 cb 3f ....L.../.3..S.?
0020 - ee 3a 38 43 78 ed e4 1a-ce ba a3 44 c5 0c 52 fa .:8Cx......D..R.
0030 - 88 9b 37 03 9e a6 80 1b-f1 44 4a 33 c7 cc 8c 8b ..7......DJ3....
0040 - d1 af 4f b9 d5 35 34 30-04 61 42 8e df e3 37 14 ..O..540.aB...7.
0050 - 68 a7 59 6c 28 82 f5 91-df 63 a8 59 ab f3 69 cc h.Yl(....c.Y..i.
0060 - 8c c6 4e 46 28 e4 51 ac-d6 72 d1 6d 08 cf 17 a7 ..NF(.Q..r.m....
0070 - 25 40 dc 25 4f c6 a4 8c-fc de 3b c6 66 66 32 a9 %@.%O.....;.ff2.
0080 - 6b f7 6a 9f a4 d5 22 03-86 b3 2e bb 84 92 2c a1 k.j...".......,.
0090 - 9e 68 24 07 44 6a 4a 66-f0 99 0c 40 c0 6b 17 83 [email protected]..
00a0 - 44 2c 96 61 0f 73 f9 43-e1 b6 27 80 3c ec 32 69 D,.a.s.C..'.<.2i
00b0 - be 0b 68 d7 41 5f 92 98-41 d6 49 38 1c 21 49 6c ..h.A_..A.I8.!Il
00c0 - 20 42 24 12 d4 74 5e be-aa 19 45 7d b1 ee 8f 83 B$..t^...E}....
00d0 - c8 be 3f f7 ca 8d 7b 61-53 c9 06 98 cb db bd ac ..?...{aS.......
00e0 - c6 fa d6 8e 46 52 f6 8f-97 2d 53 93 48 51 43 3b ....FR...-S.HQC;
00f0 - 65 37 c2 2e c3 d1 01 1e-c2 b5 39 ed c7 a1 0f 1e e7........9.....
0100 - 5b f1 21 f4 [.!.
Start Time: 1642036537
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
$ openssl s_client -servername token.actions.githubusercontent.com -connect token.actions.githubusercontent.com:443 < /dev/null | openssl x509 -text
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.actions.githubusercontent.com
verify return:1
DONE
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:50:91:e1:fa:9b:91:02:49:6f:34:19:b1:cf:3b:ab
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
Validity
Not Before: Jan 11 00:00:00 2022 GMT
Not After : Jan 11 23:59:59 2023 GMT
Subject: C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.actions.githubusercontent.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9c:1e:5e:46:80:d8:17:61:42:39:67:3d:3c:e4:
0a:fd:c1:28:88:81:d0:e7:3a:46:97:a1:fd:ae:de:
97:09:d7:5d:fc:4e:5c:fa:6a:17:95:a9:77:c9:f0:
c3:80:ba:9b:34:2d:3a:fd:8f:f7:53:1c:01:96:29:
0c:f4:a9:dc:94:75:82:09:17:08:8e:96:49:a9:86:
83:fe:6b:8c:55:25:76:dd:55:53:7b:aa:f9:9f:57:
c7:f4:62:71:b9:a0:65:72:c7:d8:43:97:fd:f4:25:
17:95:21:83:db:0b:c2:4d:4a:22:16:da:33:18:9e:
3a:8f:bb:8d:6d:3d:c9:4d:36:ba:16:f4:af:20:25:
4c:d3:fd:61:38:2d:11:e8:84:e9:91:d4:66:c2:d7:
14:3c:62:51:52:ea:91:6c:f9:7b:b3:9e:8b:bc:4f:
33:bc:3e:c5:d1:75:a0:de:ff:ba:58:66:04:7f:3a:
db:f9:5c:b6:39:b2:20:81:ad:a3:2e:c6:d8:f5:83:
86:7f:4f:3f:1d:d9:9f:ac:30:f2:31:b4:76:63:c6:
67:2e:2c:f7:c8:8b:1e:9c:01:14:a9:24:58:06:17:
b6:21:f6:f8:0b:2b:d8:c4:92:07:ee:53:53:67:b2:
1b:fb:4b:ac:a5:22:7e:52:7c:73:53:a1:08:c2:45:
23:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4
X509v3 Subject Key Identifier:
89:B3:0C:F5:87:9C:6F:F5:9B:B9:90:E4:C6:21:95:47:7F:64:D1:03
X509v3 Subject Alternative Name:
DNS:*.actions.githubusercontent.com, DNS:actions.githubusercontent.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl
Full Name:
URI:http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
CPS: http://www.digicert.com/CPS
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt
X509v3 Basic Constraints: critical
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A:
B4:67:29:5D:CF:B1:0C:24:CA:85:86:34:EB:DC:82:8A
Timestamp : Jan 11 09:54:07.471 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:3C:4C:1A:BB:8D:97:7D:F1:2E:63:9D:87:
65:1D:33:10:37:6A:2B:88:5F:7B:E0:79:74:AE:5D:17:
1E:EA:CA:81:02:20:29:A0:EC:64:DA:C7:F1:7D:97:70:
70:CC:57:B8:CD:01:F1:B7:E0:1A:24:3B:22:51:B5:E3:
04:5A:EC:A4:22:A0
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 35:CF:19:1B:BF:B1:6C:57:BF:0F:AD:4C:6D:42:CB:BB:
B6:27:20:26:51:EA:3F:E1:2A:EF:A8:03:C3:3B:D6:4C
Timestamp : Jan 11 09:54:07.433 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:92:66:35:55:AA:55:F1:65:40:B7:57:
F2:C6:DB:43:D5:66:24:0E:4A:DB:C9:5D:BF:02:D0:A6:
72:68:A6:01:73:02:21:00:B0:66:28:23:35:4E:05:AC:
D3:F7:A9:06:60:8B:89:DE:4F:99:C9:AE:CF:B0:5B:4F:
57:25:1B:3A:89:B9:E4:F7
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B3:73:77:07:E1:84:50:F8:63:86:D6:05:A9:DC:11:09:
4A:79:2D:B1:67:0C:0B:87:DC:F0:03:0E:79:36:A5:9A
Timestamp : Jan 11 09:54:07.463 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:4D:0D:32:AC:0F:8E:A6:09:C3:16:2A:AE:
1E:C2:56:E7:87:D6:B5:AF:29:8B:D1:8F:C7:2F:BF:77:
EB:EC:AB:B9:02:20:46:15:F7:89:F8:DB:32:DD:50:96:
4C:08:A1:FA:2B:68:DB:D4:AF:27:44:C9:AC:3B:32:1F:
2D:CF:86:49:99:EA
Signature Algorithm: sha256WithRSAEncryption
8a:1d:3d:93:05:3c:f2:3f:d1:df:fc:43:91:5f:f6:4d:df:d9:
6e:0c:d4:3e:ba:e3:9c:ca:8b:df:62:af:f3:3a:8f:6f:40:27:
68:e6:5b:03:d5:ea:32:e4:22:98:b0:cf:aa:be:df:4e:d2:91:
05:18:57:4a:d6:8d:4f:9b:3b:cd:99:b7:83:d3:fe:5e:cc:65:
d9:74:a2:b9:36:d1:d1:8f:4c:3a:67:e0:58:0d:09:bf:7b:f0:
f3:3a:bf:7a:d7:46:06:b5:74:b2:d4:3f:24:1d:86:2a:d7:98:
97:d8:4f:ed:e3:a3:d3:16:8d:83:fc:a5:68:20:ce:34:6d:3c:
e2:5a:95:96:e8:20:82:6b:16:f5:18:0d:df:30:04:4a:60:0b:
6a:17:b3:bb:39:4d:1b:96:ac:3e:13:43:08:84:72:a3:79:a6:
d2:11:c2:57:8f:ca:be:8b:ab:6b:f6:c6:56:47:3b:5a:49:3a:
ab:f7:29:94:de:55:09:2a:bd:c1:89:36:ba:01:1a:c6:c7:35:
61:ea:97:a7:14:2d:45:52:53:17:f5:2d:b8:da:56:4b:e4:e9:
d4:23:b1:dc:38:9a:a1:38:c2:98:42:26:4b:36:1a:ad:f6:7b:
40:83:11:f6:8a:71:24:43:c0:07:9d:a1:b3:fa:0b:5f:9a:ee:
51:7c:2f:23
-----BEGIN CERTIFICATE-----
MIIG9jCCBd6gAwIBAgIQCFCR4fqbkQJJbzQZsc87qzANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjAxMTEwMDAwMDBa
Fw0yMzAxMTEyMzU5NTlaMHsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxHaXRIdWIsIElu
Yy4xKDAmBgNVBAMMHyouYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcHl5GgNgXYUI5Zz085Ar9wSiI
gdDnOkaXof2u3pcJ1138Tlz6aheVqXfJ8MOAups0LTr9j/dTHAGWKQz0qdyUdYIJ
FwiOlkmphoP+a4xVJXbdVVN7qvmfV8f0YnG5oGVyx9hDl/30JReVIYPbC8JNSiIW
2jMYnjqPu41tPclNNroW9K8gJUzT/WE4LRHohOmR1GbC1xQ8YlFS6pFs+Xuznou8
TzO8PsXRdaDe/7pYZgR/Otv5XLY5siCBraMuxtj1g4Z/Tz8d2Z+sMPIxtHZjxmcu
LPfIix6cARSpJFgGF7Yh9vgLK9jEkgfuU1Nnshv7S6ylIn5SfHNToQjCRSPJAgMB
AAGjggOgMIIDnDAfBgNVHSMEGDAWgBS3a6LqqKqEjHnqtNoPmLLFlXa59DAdBgNV
HQ4EFgQUibMM9Yecb/WbuZDkxiGVR39k0QMwSQYDVR0RBEIwQIIfKi5hY3Rpb25z
LmdpdGh1YnVzZXJjb250ZW50LmNvbYIdYWN0aW9ucy5naXRodWJ1c2VyY29udGVu
dC5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjCBjwYDVR0fBIGHMIGEMECgPqA8hjpodHRwOi8vY3JsMy5kaWdpY2VydC5j
b20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTQuY3JsMECgPqA8hjpodHRw
Oi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0Ex
LTQuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6
Ly93d3cuZGlnaWNlcnQuY29tL0NQUzB/BggrBgEFBQcBAQRzMHEwJAYIKwYBBQUH
MAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBJBggrBgEFBQcwAoY9aHR0cDov
L2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTUlNBU0hBMjU2MjAyMENB
MS0xLmNydDAMBgNVHRMBAf8EAjAAMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcA
dQCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAX5IjyPvAAAEAwBG
MEQCIDxMGruNl33xLmOdh2UdMxA3aiuIX3vgeXSuXRce6sqBAiApoOxk2sfxfZdw
cMxXuM0B8bfgGiQ7IlG14wRa7KQioAB3ADXPGRu/sWxXvw+tTG1Cy7u2JyAmUeo/
4SrvqAPDO9ZMAAABfkiPI8kAAAQDAEgwRgIhAJJmNVWqVfFlQLdX8sbbQ9VmJA5K
28ldvwLQpnJopgFzAiEAsGYoIzVOBazT96kGYIuJ3k+Zya7PsFtPVyUbOom55PcA
dQCzc3cH4YRQ+GOG1gWp3BEJSnktsWcMC4fc8AMOeTalmgAAAX5IjyPnAAAEAwBG
MEQCIE0NMqwPjqYJwxYqrh7CVueH1rWvKYvRj8cvv3fr7Ku5AiBGFfeJ+Nsy3VCW
TAih+ito29SvJ0TJrDsyHy3PhkmZ6jANBgkqhkiG9w0BAQsFAAOCAQEAih09kwU8
8j/R3/xDkV/2Td/ZbgzUPrrjnMqL32Kv8zqPb0AnaOZbA9XqMuQimLDPqr7fTtKR
BRhXStaNT5s7zZm3g9P+Xsxl2XSiuTbR0Y9MOmfgWA0Jv3vw8zq/etdGBrV0stQ/
JB2GKteYl9hP7eOj0xaNg/ylaCDONG084lqVlugggmsW9RgN3zAESmALahezuzlN
G5asPhNDCIRyo3mm0hHCV4/Kvoura/bGVkc7Wkk6q/cplN5VCSq9wYk2ugEaxsc1
YeqXpxQtRVJTF/UtuNpWS+Tp1COx3DiaoTjCmEImSzYarfZ7QIMR9opxJEPAB52h
s/oLX5ruUXwvIw==
-----END CERTIFICATE-----
// oidc provider
resource "aws_iam_openid_connect_provider" "main" {
url = "https://token.actions.githubusercontent.com"
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e", "6938fd4d98bab03faadb97b34396831e3780aea1"] // added new thumbprint
}
@pcothenet
Copy link

@guitarrapc thanks for posting this, this helped us with the prior certificate expiring. I don't want to have the same problem in January 2023 though. Do you know if there is a way to know the next thumbprint before the certificate expires. How long before expiration does GH change their certificate?

@guitarrapc
Copy link
Author

@pcothenet I have no idea about how GH handle next certificate renewal 😢 I hope they prepare 2-N weeks before certificate expires, but it's depends on service and no guranteed at all.

@pcothenet
Copy link

pcothenet commented Jan 19, 2022 via email

@ckingbailey
Copy link

There's an issue on the aws-actions/configure-aws-credentials repo (with a Terraform solution) related to this: aws-actions/configure-aws-credentials#357

@joaoluiznaufel
Copy link

nice one. thanks for this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment