the part that we’re arguing against isn’t that a microsoft signing key would have fixed the problem, it’s
I didn’t say a Microsoft signing key is required. Im saying Microsoft requires that you go out and obtain a signed certificate that proves your identity as a developer.
this update mechanism already exists: it’s the reason the hijack was possible. whatever the technical process behind the scenes is irrelevant… that is how it currently works; it’s not a “what if”
The update mechanism was successful hijacked because integrity checks and authentication checks were not properly in place. Notepad++ even said that they moved hosting providers after this happened to them.
I didn’t say a Microsoft signing key is required. Im saying Microsoft requires that you go out and obtain a signed certificate that proves your identity as a developer.
The update mechanism was successful hijacked because integrity checks and authentication checks were not properly in place. Notepad++ even said that they moved hosting providers after this happened to them.
Per https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
Can you point out an existing open source application that runs on Windows that only uses GPG signatures?