zlacker

>>Zuider+(OP)
If a corp like Nvidia cannot manage to store Code signing certs on hardware only, the whole process is broken beyond repair. What’s the value of signed code going forward?

>>pintxo+k8
The benefit of signed code is it grants hardware vendors a perpetual control, gatekeeping, and rent seeking role. It was never your hardware.

The cover story was security, which might be mathematically correct but in practice has been shown false in every way. Look how much malware gets signed and shipped on devices and sold on app stores: the vendor gets their cut, /shrug. Look how many devices have been intentionally bricked to force new sales - yay them again. And then there's the certificate management illusion.

>>imglor+Lr
> The benefit of signed code is it grants hardware vendors a perpetual control, gatekeeping, and rent seeking role. It was never your hardware.

but in this case it's literally not caused by hardware vendors ? They're not even a party to this arrangement. The requirement is being enforced by windows, and the certificates are issued by various CAs. If you don't want that just use linux or something, or disable signature enforcement within windows.

>>gruez+qu
Most linux distros have used signed repository packages since forever, right? Not really challenging what you are saying, rather asking whether this is not already a very similar setup. I guess it is a social web of trust among package maintainers as opposed to the certificate authority root of trust in Windows. Or am I making a flawed comparison?