Skip to content

[deploy/#269] Apple .p8 키 파일이 Docker 이미지에 번들링되는 보안 취약점 수정 #276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Dimo-2562 merged 6 commits into from
Feb 21, 2026
Merged

[deploy/#269] Apple .p8 키 파일이 Docker 이미지에 번들링되는 보안 취약점 수정 #276

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e9411ba
improve: 애플 키 파일을 파일시스템 절대경로에서 읽어오도록 변경
Dimo-2562 Feb 21, 2026
0077398
chore: docker compose에 읽기 전용 볼륨 마운트
Dimo-2562 Feb 21, 2026
0fe4ca0
chore: .p8 키 파일을 EC2에서 생성하도록 변경
Dimo-2562 Feb 21, 2026
66aa7a4
deploy: Apple Private Key는 환경변수에서 제거
Dimo-2562 Feb 21, 2026
2a6164a
chore: Apple Private Key 경로를 로컬에선 상대경로, 배포에선 절대경로로 지정
Dimo-2562 Feb 21, 2026
e415a9a
chore: .gitignore keys 폴더 위치 변경에 따라 업데이트
Dimo-2562 Feb 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 17 additions & 7 deletions .github/workflows/cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,6 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Create Apple Private Key file
run: |
mkdir -p src/main/resources/keys
echo "${{ secrets.APPLE_PRIVATE_KEY }}" > src/main/resources/keys/AuthKey_${{ secrets.APPLE_KEY_ID }}.p8

- name: Login to DockerHub
uses: docker/login-action@v3
with:
Expand Down Expand Up @@ -71,7 +66,6 @@ jobs:
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
APPLE_CLIENT_ID: ${{ secrets.APPLE_CLIENT_ID }}
APPLE_PRIVATE_KEY: ${{ secrets.APPLE_PRIVATE_KEY }}
JWT_SECRET: ${{ secrets.JWT_SECRET }}
JWT_REDIRECT_URI: ${{ secrets.JWT_REDIRECT_URI }}
JWT_REDIRECT_URI_DEV: ${{ secrets.JWT_REDIRECT_URI_DEV }}
Expand All @@ -92,6 +86,22 @@ jobs:
source: "docker/,scripts/deploy.sh"
target: "~/deploy/"

- name: Place Apple private key on server
uses: appleboy/ssh-action@v1
env:
APPLE_PRIVATE_KEY: ${{ secrets.APPLE_PRIVATE_KEY }}
APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
with:
host: ${{ secrets.EC2_HOST }}
username: ${{ secrets.EC2_USERNAME }}
key: ${{ secrets.EC2_SSH_KEY }}
envs: APPLE_PRIVATE_KEY,APPLE_KEY_ID
script: |
mkdir -p ~/keys
chmod 700 ~/keys
printf '%s' "$APPLE_PRIVATE_KEY" > ~/keys/AuthKey_${APPLE_KEY_ID}.p8
chmod 600 ~/keys/AuthKey_${APPLE_KEY_ID}.p8

- name: Deploy with blue-green strategy
uses: appleboy/ssh-action@v1
with:
Expand All @@ -103,7 +113,7 @@ jobs:
DOCKER_IMAGE,BRANCH,SPRING_PROFILES_ACTIVE,DB_URL,DB_PASSWORD,REDIS_PASSWORD,
DISCORD_WEBHOOK_URL,ANTHROPIC_API_KEY,OPENAI_API_KEY,
KAKAO_REST_API_KEY,KAKAO_CLIENT_SECRET,
APPLE_TEAM_ID,APPLE_KEY_ID,APPLE_CLIENT_ID,APPLE_PRIVATE_KEY,
APPLE_TEAM_ID,APPLE_KEY_ID,APPLE_CLIENT_ID,
JWT_SECRET,JWT_REDIRECT_URI,JWT_REDIRECT_URI_DEV,JWT_LOGIN_FAILURE_REDIRECT_URI,JWT_LOGIN_FAILURE_REDIRECT_URI_DEV,SERVER_DOMAIN
script: |
cd ~/deploy
Expand Down
2 changes: 1 addition & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ stop-dev-tunnel.sh
.env

### Apple Private Keys ###
src/main/resources/keys/
/keys
*.p8

### Test json files ###
Expand Down
4 changes: 3 additions & 1 deletion docker/docker-compose.blue.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,13 @@ services:
- APPLE_TEAM_ID=${APPLE_TEAM_ID}
- APPLE_KEY_ID=${APPLE_KEY_ID}
- APPLE_CLIENT_ID=${APPLE_CLIENT_ID}
- APPLE_PRIVATE_KEY_PATH=keys/AuthKey_${APPLE_KEY_ID}.p8
- APPLE_PRIVATE_KEY_PATH=/app/keys/AuthKey_${APPLE_KEY_ID}.p8
- JWT_SECRET=${JWT_SECRET}
- JWT_REDIRECT_URI=${JWT_REDIRECT_URI}
- JWT_LOGIN_FAILURE_REDIRECT_URI=${JWT_LOGIN_FAILURE_REDIRECT_URI}
- SERVER_DOMAIN=${SERVER_DOMAIN}
volumes:
- ~/keys:/app/keys:ro
networks:
techfork-network:
aliases:
Expand Down
4 changes: 3 additions & 1 deletion docker/docker-compose.dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,13 @@ services:
- APPLE_TEAM_ID=${APPLE_TEAM_ID}
- APPLE_KEY_ID=${APPLE_KEY_ID}
- APPLE_CLIENT_ID=${APPLE_CLIENT_ID}
- APPLE_PRIVATE_KEY_PATH=keys/AuthKey_${APPLE_KEY_ID}.p8
- APPLE_PRIVATE_KEY_PATH=/app/keys/AuthKey_${APPLE_KEY_ID}.p8
- JWT_SECRET=${JWT_SECRET}
- JWT_REDIRECT_URI=${JWT_REDIRECT_URI_DEV}
- JWT_LOGIN_FAILURE_REDIRECT_URI=${JWT_LOGIN_FAILURE_REDIRECT_URI_DEV}
- SERVER_DOMAIN=${SERVER_DOMAIN}
volumes:
- ~/keys:/app/keys:ro
networks:
techfork-network:
aliases:
Expand Down
4 changes: 3 additions & 1 deletion docker/docker-compose.green.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,13 @@ services:
- APPLE_TEAM_ID=${APPLE_TEAM_ID}
- APPLE_KEY_ID=${APPLE_KEY_ID}
- APPLE_CLIENT_ID=${APPLE_CLIENT_ID}
- APPLE_PRIVATE_KEY_PATH=keys/AuthKey_${APPLE_KEY_ID}.p8
- APPLE_PRIVATE_KEY_PATH=/app/keys/AuthKey_${APPLE_KEY_ID}.p8
- JWT_SECRET=${JWT_SECRET}
- JWT_REDIRECT_URI=${JWT_REDIRECT_URI}
- JWT_LOGIN_FAILURE_REDIRECT_URI=${JWT_LOGIN_FAILURE_REDIRECT_URI}
- SERVER_DOMAIN=${SERVER_DOMAIN}
volumes:
- ~/keys:/app/keys:ro
networks:
techfork-network:
aliases:
Expand Down
2 changes: 1 addition & 1 deletion scripts/deploy.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ trap cleanup EXIT

# Generate .env from SSH-injected environment variables
log "Writing .env file..."
env | grep -E '^(DOCKER_IMAGE|BRANCH|SPRING_PROFILES_ACTIVE|DB_|REDIS_|ANTHROPIC_|OPENAI_|DISCORD_|KAKAO_|APPLE_|JWT_|SERVER_)' > "${DOCKER_DIR}/.env"
env | grep -E '^(DOCKER_IMAGE|BRANCH|SPRING_PROFILES_ACTIVE|DB_|REDIS_|ANTHROPIC_|OPENAI_|DISCORD_|KAKAO_|APPLE_TEAM_ID|APPLE_KEY_ID|APPLE_CLIENT_ID|JWT_|SERVER_)' > "${DOCKER_DIR}/.env"
chmod 600 "${DOCKER_DIR}/.env"

# Step 1: Ensure Docker network exists
Expand Down
5 changes: 2 additions & 3 deletions src/main/java/com/techfork/global/security/util/AppleClientSecretGenerator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@
import io.jsonwebtoken.SignatureAlgorithm;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.io.ClassPathResource;
import org.springframework.stereotype.Component;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.spec.PKCS8EncodedKeySpec;
Expand Down Expand Up @@ -65,8 +65,7 @@ public String generateClientSecret() {
*/
private PrivateKey getPrivateKey() throws Exception {
try {
ClassPathResource resource = new ClassPathResource(privateKeyPath);
String privateKeyContent = new String(Files.readAllBytes(resource.getFile().toPath()));
String privateKeyContent = new String(Files.readAllBytes(Paths.get(privateKeyPath)));

// PEM 파일에서 헤더/푸터 제거
privateKeyContent = privateKeyContent
Expand Down
5 changes: 4 additions & 1 deletion src/main/resources/application-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,7 @@ logging:
com.techfork: INFO
org.springframework.batch: INFO
org.hibernate.SQL: INFO
org.hibernate.type.descriptor.sql.BasicBinder: WARN
org.hibernate.type.descriptor.sql.BasicBinder: WARN

apple:
private-key-path: /app/keys/AuthKey_${APPLE_KEY_ID}.p8
2 changes: 1 addition & 1 deletion src/main/resources/application.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ jwt:
apple:
team-id: ${APPLE_TEAM_ID}
key-id: ${APPLE_KEY_ID}
private-key-path: ${APPLE_PRIVATE_KEY_PATH:keys/AppleAuthKey.p8}
private-key-path: keys/AppleAuthKey.p8

server:
domain: ${SERVER_DOMAIN:localhost}
Expand Down