I have an app with auto-update, and one day I realized that I had (more or less) root on hundreds of users' machines. I'm not special in this regard.
I take fairly strong precautions with my keys: offline storage, encrypted, signing on an air-gapped machine. I'd bet you money that most people aren't so careful. There are probably a lot of secret signing keys sitting in DropBox.
I take fairly strong precautions with my keys: offline storage, encrypted, signing on an air-gapped machine. I'd bet you money that most people aren't so careful. There are probably a lot of secret signing keys sitting in DropBox.