Comment by mr_mitm
13 hours ago
What would be the point? How would you prevent malware from being signed? Currently, code signatures are used as a signal for trustworthiness of the code.
13 hours ago
What would be the point? How would you prevent malware from being signed? Currently, code signatures are used as a signal for trustworthiness of the code.
Microsoft signed the Crowdstrike updates. I don't think a CA signing a piece of malware is a realistic thing to be concerned about.
Only signal is that whoever is in the subject DN (highly) probably signed the code. There's 0 signal about trustworthiness of the code in the signature. Thrustworthiness signal is in the behavior/reputation of the signer.
Pretty sure there were historically a lot of apps that stole peoples contact lists and were signed properly. Certainly in the Android world.
Is it some entirely different process than providing hashes and a GPG signature?
Well, yes. Just look at OP and Jason struggling to get their code signed.
Misplaced trustworthiness?