[newzisforsukas]

> In practice the threat of the justice system makes any signed executable unlikely to be malicious.

What threats are those? Where are all the people going to jail for falsely signed software? The stuxnet authors seem to be in the wind.

[wongarsu]

The threat is that if you sign malware with your name you will be quickly connected with said malware. If you don't live in a country that turns a blind eye to cyber crime that is a quick ticket to jail.

Of course people stealing other people's signing keys is an issue. But EV code signing certificates are pretty well protected (requiring either a hardware dongle or 2FA). It's not impossible for a highly sophisticated attacker, but it's a pretty high bar.