[guardian-dev] Adobe's build servers compromised, malware signed

Miron miron at hyper.to
Fri Sep 28 11:45:48 EDT 2012 

On 12-09-28 07:58 AM, Hans-Christoph Steiner wrote:
> That's a good argument for keeping signing keys offline.

Agreed.

> I'm a supporter of using Gitian, but I fail to see how gitian could
> prevent the issue that happened there.  Someone compromised the server
> that could sign code with the Adobe key and signed some of their own
> malware with it.

Agreed.  I wasn't pointing at the specific outcome (key stolen), but
more at the build server being compromised.  Regardless of where the
signing key was, the resulting build binaries themselves could have been
trojaned, and you wouldn't notice because the build server was a single
point of failure.

> Even with gitian, we still need to sign a specific build to upload to
> the various app stores and Debian.  (In Debian, you're actually signing
> source code, but same issue).  If the computer with our signing key was
> compromised, the compromiser could sign arbitrary code with our key.
>
> .hc
>
> On 09/28/2012 01:16 AM, Miron wrote:
>> http://news.slashdot.org/story/12/09/27/2230218/adobe-revoking-code-signing-certificate-used-to-sign-malware
>>
>> (yes, this is a Gitian plug... ;) )
>>
>>
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>
>> You are subscribed as: hans at guardianproject.info
>>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
>
> You are subscribed as: c1.android at niftybox.net

More information about the Guardian-dev mailing list