An Analysis of Software Supply Chain Attacks – Part Two

Firstly, it is important to protect the keys used for the signing. If these are divulged, an attacker can use them to sign unsafe software that will be trusted by its users. However, even if the keys are stored so they cannot be divulged, for example in a hardware security module, the attacker still succeeds if they can get control of the system that uses the keys. This means the software build system, that holds and uses the keys, must be well protected.

Leave a Reply

This site uses cookies to offer you a better browsing experience. By browsing this website, you agree to our use of cookies.