Re: PREVIEW: bsign embeds hash and/or digital signature in ELF files
Buddha Buck <firstname.lastname@example.org> writes:
I see the situation as analogous to virtually any digital signature
situation: email, Debian packages, etc. In order for someone to
modify the signed element surrupticiously, they would have to have
write access to the object being signed, and access to the private key
of the signatory.
Where is the key used for verifying signatures stored? On the system
somewhere, presumably. An attacker can substitute a different key as
well as recalculate signatures.
Is this the weakness that people are implying exists?