>> Depends. Does it include the tools necessary to sign my own code? >> If so, what's to stop a malware creator from using those same tools >> to sign the attack vector? > How does the malware author get the private half of a public key you > trust for software installations? The same way you do, of course. Most likely it pops up a box asking for it. Given how boneheaded most users seem to be, and given that signatures will be needed on most software installs, this will be a common sight to many users, and they will probably cheerfully type in whatever is necessary to fetch/decrypt it. Look at how effective phishing attacks are. No, that wouldn't work against me (or, I would hope, you). But I wouldn't be running such a thing anyway, and even if I were-- having to type a passphrase every time I recompiled something would be intolerable, and if it were automated, malware could automate the signing just as well as my compiler front-end could. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse@rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
