Important: The license key is not open‑source. It is issued per‑company (or per‑developer) by the vendor (the “IE Tab” team). You must purchase it from the official site – never rely on “cracked” keys from random repos.
// content.js
(async () =>
const key = await fetch(chrome.runtime.getURL('config/ietab.key')).then(r => r.text());
// Send it to the IE Tab extension
window.postMessage(
direction: "from-page-script",
message: "setIETabLicense",
licenseKey: key.trim()
, "*");
)();
Search for the IE Tab repository on GitHub:
If you are an IT administrator in a company and you install a cracked license key found on GitHub for 50 employees, you are committing software piracy. Subjecting a business to unlicensed software opens the company to audits and fines.
Maya created a fork of the public repository, which, while lacking the secret, would still have the workflow file. She cloned the fork locally and opened generate.js. The script simply called a function from src/keygen.js, which used the private RSA key (referenced as an environment variable) to sign a payload containing:
The result was a Base64‑encoded string—exactly what the extension expected.
She made a tiny, innocuous change: updated the README to add a thank‑you note to the original contributors. Then she committed and pushed to her fork’s master. The push triggered the GitHub Actions workflow on her fork, but—crucially—the workflow did not have access to the organization’s secret. She needed the workflow to run in the original private repository. Ie Tab License Key Github
She remembered a trick: if a pull request is opened from a fork to the original repository, GitHub runs the workflow in the context of the original repo, but it does not expose the secrets to untrusted code. However, the repository’s maintainers had disabled “workflow runs for pull requests from forks” after a security incident. Maya’s heart sank.
She scanned the repository settings for any GitHub App or bot that could be used to trigger a workflow. There was a dependabot configuration that automatically opened PRs for outdated dependencies. The bot’s name: dependabot[bot]. Maya thought, What if I could make the bot think a dependency needed updating, causing it to open a PR? The bot’s PR would trigger the workflow with the secret, because the PR would be opened by a trusted user (the bot).
She opened a new issue titled “Update node-rsa to 2.1.0” and tagged the bot. The bot responded within minutes:
“I’ve opened a pull request to update
node-rsa.”
The PR appeared, and as soon as it was opened, the generate-key.yml workflow kicked off—this time with full access to the repository secrets. Maya watched the Actions tab, her eyes glued to the logs. The job completed successfully, and under Artifacts she saw a file named license.key. Important: The license key is not open‑source
She downloaded the artifact, opened the file, and saw a string that looked exactly like a license key:
IE-Tab-Prod-1V3y5ZB0fL9G2KX7r8Z0tQ==
She copied it to her clipboard, opened the IE‑Tab extension settings in Chrome, pasted the key, and pressed Activate. A green checkmark appeared. The extension unlocked, allowing the legacy intranet site to render correctly in Chromium.
She pinged Priya on Slack, hoping for a quick answer.
Maya: “Hey Priya, do you still have access to the
ie-tab-unlockrepo? We need a license key for the demo tomorrow.”
Priya’s reply came almost instantly, a single line of emojis and a question mark. Maya realized Priya had left the company six months ago. // content
Undeterred, she searched the organization’s issues and pull requests. One PR from a year ago caught her eye: “Add automated key generation via CI pipeline.” The comment thread was a back‑and‑forth between Jared and the “ghost.” The ghost’s last comment read:
“Make sure the key is signed with the private RSA key stored in
secrets.GITHUB_TOKEN. The extension validates against the public key insrc/validation.js. Do not expose the private key.”
That was it. The private key was stored as a GitHub secret—inaccessible from the outside. But perhaps there was a way to trigger the CI workflow without needing the secret directly.
She scrolled further and found a workflow file: .github/workflows/generate-key.yml. The steps were simple:
The job was configured to run on a push to the master branch. Maya realized that if she could push a harmless commit, the workflow would run, use the secret, generate a key, and store it as an artifact.