I think they want to, but Microsoft has made it expensive for open source developers who do this as a hobby and not as a job to sign their software. I know not too long ago, this particular dev was asking its users to install a root certificate on their PC so that they wouldn’t have to deal with Microsofts method of signing software, but that kind of backfired on them.
the part that we’re arguing against isn’t that a microsoft signing key would have fixed the problem, it’s
No, because you wouldn’t be able to execute the updated exe without a valid signature. You would essentially brick the install with that method, and probably upset Microsoft’s security software in the process.
this update mechanism already exists: it’s the reason the hijack was possible. whatever the technical process behind the scenes is irrelevant… that is how it currently works; it’s not a “what if”
adding signing into that existing process without any 3rd party involvement is both free, and very very easy
which is why this is a solved (for free) problem on linux
the part that we’re arguing against isn’t that a microsoft signing key would have fixed the problem, it’s
I didn’t say a Microsoft signing key is required. Im saying Microsoft requires that you go out and obtain a signed certificate that proves your identity as a developer.
this update mechanism already exists: it’s the reason the hijack was possible. whatever the technical process behind the scenes is irrelevant… that is how it currently works; it’s not a “what if”
The update mechanism was successful hijacked because integrity checks and authentication checks were not properly in place. Notepad++ even said that they moved hosting providers after this happened to them.
yes but as you yourself said
the part that we’re arguing against isn’t that a microsoft signing key would have fixed the problem, it’s
this update mechanism already exists: it’s the reason the hijack was possible. whatever the technical process behind the scenes is irrelevant… that is how it currently works; it’s not a “what if”
adding signing into that existing process without any 3rd party involvement is both free, and very very easy
which is why this is a solved (for free) problem on linux
I didn’t say a Microsoft signing key is required. Im saying Microsoft requires that you go out and obtain a signed certificate that proves your identity as a developer.
The update mechanism was successful hijacked because integrity checks and authentication checks were not properly in place. Notepad++ even said that they moved hosting providers after this happened to them.
Per https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
Can you point out an existing open source application that runs on Windows that only uses GPG signatures?