Comment by heavyset_go
17 hours ago
If you can't use your own keys and verify the process yourself, then no, that is not a guarantee.
Malware developers just have their software signed by the gatekeepers your device is programmed to inherently trust, because the gatekeepers don't give a shit.
The App Store and Play Store are the largest vectors of malware out there, and every year they are responsible for letting their users get scammed to the tune of billions of dollars.
> If you can't use your own keys and verify the process yourself
The thing with security is that it is a gradient. Too many people try to win arguments on security by saying a variant of "anyway you have to trust somebody, so it will never be secure". This is exactly what you are doing here.
Say I trust GrapheneOS, the security model guarantees what I said. Obviously I have to trust something, I won't audit every single line of code and assemble billions of transistors myself.
> every year they are responsible for letting their users get scammed
Second tactic for winning a security argument: "but the users get scammed anyway". Sure they do. Because they have to. If you have a system that popular with zero scam, it probably means that the attackers don't even need to attack the human because the system itself is insecure.