|
| ▲ | sidewndr46 8 hours ago | parent | next [-] |
| Microsoft signed the Crowdstrike updates. I don't think a CA signing a piece of malware is a realistic thing to be concerned about. |
|
| ▲ | megous 6 hours ago | parent | prev | next [-] |
| Only signal is that whoever is in the subject DN (highly) probably signed the code. There's 0 signal about trustworthiness of the code in the signature. Thrustworthiness signal is in the behavior/reputation of the signer. Pretty sure there were historically a lot of apps that stole peoples contact lists and were signed properly. Certainly in the Android world. |
|
| ▲ | duskdozer 9 hours ago | parent | prev | next [-] |
| Is it some entirely different process than providing hashes and a GPG signature? |
| |
| ▲ | mr_mitm 8 hours ago | parent [-] | | Well, yes. Just look at OP and Jason struggling to get their code signed. |
|
|
| ▲ | Eldt 10 hours ago | parent | prev [-] |
| Misplaced trustworthiness? |
