Comment by PunchyHamster
15 hours ago
Just add code cert generation to letsencrypt, it's not like MS validates the code that you sign used certs from them anyway
15 hours ago
Just add code cert generation to letsencrypt, it's not like MS validates the code that you sign used certs from them anyway
What would be the point? How would you prevent malware from being signed? Currently, code signatures are used as a signal for trustworthiness of the code.
Microsoft signed the Crowdstrike updates. I don't think a CA signing a piece of malware is a realistic thing to be concerned about.
Only signal is that whoever is in the subject DN (highly) probably signed the code. There's 0 signal about trustworthiness of the code in the signature. Thrustworthiness signal is in the behavior/reputation of the signer.
Pretty sure there were historically a lot of apps that stole peoples contact lists and were signed properly. Certainly in the Android world.
Is it some entirely different process than providing hashes and a GPG signature?
Well, yes. Just look at OP and Jason struggling to get their code signed.
Misplaced trustworthiness?