Comment by Koffiepoeder
15 hours ago
I once came across a similar "solution". The signing algorithm was directly executed from the update package. How would we otherwise be able to update the signature algorithm? Worst part was that it was correct at some point. It was an introduced regression because of a signature change due to " post-quantum safe" signatures now being required by the security team.
By the time post quantum matters for things like firmware packages the thing they've build, even if done well, will have been broken anyway in some other form. But rules are rules, thy must obey and introduce more logical errors and bug in the process.