[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PREVIEW: bsign embeds hash and/or digital signature in ELF files

Buddha Buck <bmbuck@acsu.buffalo.edu> writes:

   I see the situation as analogous to virtually any digital signature 
   situation:  email, Debian packages, etc.  In order for someone to 
   modify the signed element surrupticiously, they would have to have 
   write access to the object being signed, and access to the private key 
   of the signatory.

Where is the key used for verifying signatures stored?  On the system
somewhere, presumably.  An attacker can substitute a different key as
well as recalculate signatures.  

Is this the weakness that people are implying exists?

Reply to: