Most code signing system compromises have been due to online keys. That’s why sensitive keys are kept offline.
I'm sold on this, but I think you might not agree that compromising a build server / package signing infra is just as bad as compromising (hypothetical) key escrow infra, if that's true, why not?
-
-
Build server compromise is not enough to get access, must compromise signing infra. No competent enough prod OS / firmware signing infra is online, all build infra is.
-
It absolutely is enough, and we have real world examples?
- 38 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.