Hacker News new | ask | show | jobs
by carols10cents 273 days ago
Since Shai-Hulud scanned maintainers' computers, if the signing key was stored there too (without a password), couldn't the attackers have published signed packages?

That is, how does signing prevent publishing of malware, exactly?
3 comments
CaptainOfCoit 273 days ago
> if the signing key was stored there too (without a password), couldn't the attackers have published signed packages?

Yeah, of course. Also if they hosted their private key for the signature on their public blog, anyone could use it for publishing.

But for the sake of the argument, why don't we assume people are correctly using the thing we're talking about?

link
lelanthran 273 days ago
In past comments I said that a quick win would be to lean on certificates; those can't easily be forged once a certificate is accepted.
link
yawaramin 273 days ago
How did Shai-Hulud get access to maintainers' computers?
link