Obfuscation is annoying at best, doesn't do much otherwise. Someone has to follow what happens to the private key through the control-flow graph anyway. (And if some function says innocent_crypto_method2 it still needs to be "audited" anyway.)
If the key ends up used for signing and authenticating messages and for nothing else, then it's sort of safe to say that it's not leaked. (Sure there might be some other part of the code that reads it indirectly, but that's also something that will likely not be named leak_priv_key() :))
The only thing that would help is open source + trusted reproducible builds.
If the key ends up used for signing and authenticating messages and for nothing else, then it's sort of safe to say that it's not leaked. (Sure there might be some other part of the code that reads it indirectly, but that's also something that will likely not be named leak_priv_key() :))
The only thing that would help is open source + trusted reproducible builds.