Issue
At Salesforce, Trust is our #1 value, and we take the protection of our customers’ data very seriously. On April 15, 2021, Salesforce was notified of an issue with the Codecov Bash Uploader that may have an impact on the Salesforce Heroku CLI binary environment.
Resolution
- On April 15, 2021, Salesforce was notified of an issue with the Codecov Bash Uploader that may have an impact on the Salesforce Heroku CLI binary environment.
- We have revoked the Heroku CLI binary code-signing certificate for Microsoft Windows as we continue to fully investigate and assess the impact of this issue.
- As part of our standard remediation process when we discover issues of this type, we take immediate action to prevent any potential unintended access to customer data.
- While we have no evidence at this time of unauthorized access to customer data, we continue to explore the full impact of the issue with the Codecov Bash Uploader.
- We are working to make a trusted binary available for download. We do not yet have an estimated time of availability for that new binary.
- Because the Heroku CLI binary code-signing certificate has been revoked, some Windows users may encounter a pop-up window when installing the Heroku CLI binary.
- This pop-up will indicate that that the binary is no longer trusted and ask the user whether the user would like to continue the install.
- Other customers may simply be unable to download the binary, or be blocked from using an existing installed version, due to the fact that the certificate is no longer considered trusted.
- NOTE: If given the option of continuing with the install, we recommend that you do NOT take that action as we are still evaluating the potential risks associated with this issue.
- In the interim, we recommend that you use the Heroku Dashboard as an alternative.