Hello there,
I have read a little on this discussion and feel like sharing my thoughts.
I think the current lacking procedures are number 3 and 4 from my summarization
based on the current standards adopted for PKI:
1) Chain of trust from developer, [intermediaries,] to root CA.
2) Ensure multiple signing of packages at the above layers (intermediaries, root).
|__This allows for a buffer for key revocation whether by user choice or the other party holding the authority (intermediaries, root).
3) Use 'password enabled key store' to prevent unauthorized access to digital keys.
4) Use 'password enabled signing' to prevent unauthorized usage of digital keys.
The use of number 3 and 4 are the steps for developers to upload application packages as part of the
verification process by Google for the 'Play store' used in Android OS devices.
I am not sure about the others like Apple, Windows, Amazon etc, but they all probably have the same process.
Nothing new is being invented here and none being reinvented to complicate matters.
The existing security framework is quite simple yet sophisticated which is probably good.
Cheers,
Simon khng