Fix guide · critical · private_key_block

Private key block embedded in client code

Why it matters

Whatever the key is for — TLS, SSH, JWT signing, code signing — it is now compromised. Possession of the private key allows the holder to impersonate, decrypt, or sign as the original holder.

How to fix it

1. Identify what the key is for. Check the type (RSA / EC / PGP / OpenSSH) and the surrounding context.
2. Rotate it in whatever system issued it (your CA, your code-signing identity, your JWT signing service, etc.).
3. Audit downstream — anything that trusted the public key counterpart needs to know the private key was compromised.
4. Move secrets out of source code permanently. Use a secret manager (AWS Secrets Manager, GCP Secret Manager, Vault) or your platform's env-var system.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.