[Cryptography] Cryptographic signing of software is security theater
Natanael
natanael.l at gmail.com
Sat Dec 3 18:51:21 EST 2022
Den sön 4 dec. 2022 00:35Sam Hartman <hartmans at mit.edu> skrev:
> >>>>> "Jerry" == Jerry Leichter <leichter at lrw.com> writes:
>
>
> I don't know much about Android.
> I'm guessing rotating such a key must be harder than usual.
> I'd be interested in details on what it would take to rotate a
> compromised Android app signing key.
>
It's just annoying, not super hard. Package names must be replaced (and
then app data must be transferred, stuff like the system backup services
can already handle this), or else the switch needs a reboot / system update
in order to substitute all package signatures and Android's list of
associated signing keypairs (overcomplicated compared to the other option).
Changing package names may break some app integrations which will require a
bunch of apps to be updated.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20221204/9cb10b24/attachment.htm>
More information about the cryptography
mailing list