| ▲ | BobbyTables2 5 hours ago | |
I’ve heard product managers proudly proclaim their firmware was signed using the corporate internal signing service (good). Of course, the question explicitly being asked (related to internal mandate) was if the firmware was signed — not if the firmware update process actually checked the signature (it certainly did not). | ||
| ▲ | Koffiepoeder 3 hours ago | parent | next [-] | |
I once came across a similar "solution". The signing algorithm was directly executed from the update package. How would we otherwise be able to update the signature algorithm? Worst part was that it was correct at some point. It was an introduced regression because of a signature change due to " post-quantum safe" signatures now being required by the security team. | ||
| ▲ | mschulkind 4 hours ago | parent | prev [-] | |
I'm surprised someone named BobbyTables2 wouldn't go straight for the proper way to check email PGP signatures... | ||