Collaborate Disseminate
I’m doing a manual install on Linux of the .NET runtime which can be downloaded from dotnet.microsoft.com.
MS do provide a SHA512 checksum of the file on the site, but that can’t be use to verify the sincerity of the file.
So am I missing … Continue reading Are .NET runtime really not signed?
Taking into account a Root of Trust in a device using a TPM.
My understanding is that the bootloader, firmware, operating system, applications etc. are all verified on startup by validating signatures with the vendors public key.
The TPM E… Continue reading TPM Endorsement Key usage in secure and trusted boot
When a Windows .exe installer is code-signed, I thought that modifying a single byte (thus changing its SHA256 hash) would make the digital signature invalid, but surprisingly, this is not true.
Indeed, as reported two days ago in Each Fir… Continue reading How can a .exe be modified and still keep a valid digital signature?
My understanding is that secure boot works by verifying each stage in the boot process before proceeding. So first, UEFI or booting firmware will validate the signature of the bootloader, then kernel, applications etc. before loading.
When… Continue reading Secure boot after an OTA update confusion
It seems easy to sign kernel modules at compile time. Apparently, you just set CONFIG_MODULE_SIG_ALL=y in your .config file and then the compiler will perhaps give you the appropriate errors until you have installed acceptable certificates… Continue reading How To First Strip and Then Sign Kernel Modules at Complie Time
I have environmental constraints where the cyber and safety functions are segregated such that safety operations are handled by one unit and cyber operations such as firewall, HIDS, secure storage etc. are handled by another unit that is s… Continue reading double hashing for code signing and verification
Signing your applications with an OV code signing certificate enables them to build reputation together in Microsoft SmartScreen, rather than each binary building reputation separately. This allows developers to publish updated binaries wi… Continue reading Why does Microsoft SmartScreen require OV certificates to be signed by a trusted CA?
I have read on the web ([1], [2]) that Apple has stopped signing the iOS 15.1.
The two articles describe that it will prevent users from downgrading the OS. And the inability to jailbreak the iPhone.
I am not interested in jail breaking n… Continue reading What (if any) are the implications of Apple stop signing iOS 15.1?
I have a MacBook which has a Yubikey. I usually don’t use my MacBook for any development. I use a remote Linux server. I would like to sign my commits with Yubikey instead of a gpg key.
Can I share my Yubikey via ssh to my remote Linux mac… Continue reading Sharing Yubikey via SSH
I’ve been considering how continuous integration/delivery environments handle code signing.
If I maintain some open source project which uses a CD environment to build binaries to ship to users, I may wish to sign the binaries which are pr… Continue reading Signing Binaries in CI/CD