[Cryptography] Cryptographic signing of software is security theater
John Levine
johnl at iecc.com
Sat Dec 3 18:58:09 EST 2022
It appears that Sam Hartman <hartmans at mit.edu> said:
>>>>>> "Jerry" == Jerry Leichter <leichter at lrw.com> writes:
>
>
>I don't know much about Android.
>I'm guessing rotating such a key must be harder than usual.
>I'd be interested in details on what it would take to rotate a
>compromised Android app signing key.
I'd be more concerned about rotating the key used to sign system
software updates. You could probably change the app signing key in a
new version of system softare, but but system key is likely burned
into ROM.
--
Regards,
John Levine, johnl at taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
More information about the cryptography
mailing list