[throwawaaarrgh]

2. State actor. Otherwise you'd have to either a) hack every vendor independently for its most cherished keys, or b) find some intermediary that keeps every vendor's most cherished keys. The latter is feasible for a private actor but unlikely, the former is feasible for a state actor and we already know they do this kind of thing.

[wyldfire]

Makes sense -- but how was it discovered?

[eganist]

Pretty straightforward, honestly: if the signature on a piece of malware can be verified by a corporation's private key, unless that corporation is a remarkably inept bad actor, that corporation and its signing key have been compromised.

Not saying it's how these were picked up, but that's the most obvious way.

[foobiekr]

I think you’d be surprised how many large companies have such poor control of their signing servers that anyone in the company with a valid login and engineering group membership can generate signatures for arbitrary artifacts.

[eganist]

> anyone in the company with a valid login and engineering group membership can generate signatures for arbitrary artifacts.

Trust me, I'm not at all surprised, but my point stands: it's either a compromise of the company or the key.

[ShredKazoo]

What would an actual secure workflow for signing artifacts look like?

I'm thinking: Final round of "code review" by security engineer on high-security single-purpose device, build artifact on that device, sign using hardware security module.

I put "code review" in scare quotes because code changes are potentially expensive at this point. For minor issues, turn to your standard workstation and file an issue for next release. For a major security problem, call off the release.

[throwawaaarrgh]

One guy named Jeff and his boss Clem have access to an offline PC with some signing software in a closet behind a badged door. Not TEMPEST secure unless they have govt contracts. For hardware stuff it might be at the factory.

[ShredKazoo]

Thanks, interesting.

I don't see how TEMPEST is relevant?