Comment by BobbyTables2
17 hours ago
I’ve heard product managers proudly proclaim their firmware was signed using the corporate internal signing service (good).
Of course, the question explicitly being asked (related to internal mandate) was if the firmware was signed — not if the firmware update process actually checked the signature (it certainly did not).
I once came across a similar "solution". The signing algorithm was directly executed from the update package. How would we otherwise be able to update the signature algorithm? Worst part was that it was correct at some point. It was an introduced regression because of a signature change due to " post-quantum safe" signatures now being required by the security team.
By the time post quantum matters for things like firmware packages the thing they've build, even if done well, will have been broken anyway in some other form. But rules are rules, thy must obey and introduce more logical errors and bug in the process.
I'm surprised someone named BobbyTables2 wouldn't go straight for the proper way to check email PGP signatures...