Comment by bakugo
19 days ago
So they just conveniently decided not to sign their releases right around the time they were supposedly "hacked"?
Something doesn't seem right here.
19 days ago
So they just conveniently decided not to sign their releases right around the time they were supposedly "hacked"?
Something doesn't seem right here.
Code signing certs are unfortunately expensive
$0 at SignPath. Quite a few OSS projects use it.
You don't even need a certificate to prevent update tampering like this. The updates could have shipped with an ECDSA signature and this wouldn't have happened. It's also free and doable in an afternoon.
$700+ at Sectigo for two years
Something of Notepad++ size might think about it now
"of Notepad++ size" is basically one guy in his free time, no?
2 replies →
the issue was not the money, but that it was difficult to get a certificate without having some sort of legal entity
3 replies →