Hacker News new | past | comments | ask | show | jobs | submit login

Code signing requires some verification that you are who you say you are in the real world so there is an additional cost.



Not necessarily. For issues like the one discussed in this thread, a simple ssh-style "trust initially" would have sufficed, and would have prevented the malicious installer from running.

Note that I'm not proposing this as a replacement for the current cert system (which you pay into), but as a replacement for unsigned executables.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: