Lessons from Leaked Android Platform Signing Keys(chainguard.dev)
chainguard.dev
Lessons from Leaked Android Platform Signing Keys
https://www.chainguard.dev/unchained/principles-for-secure-software-distribution
https://www.chainguard.dev/unchained/principles-for-secure-software-distribution
As attackers increase their sophistication, our defensive technologies for software signing must grow more sophisticated as well. This post focused primarily on the Android ecosystem in light of recent events, but the lessons learned apply to all systems for distributing software securely, including the internal software supply chain of any organization.
To protect yourself, it’s best to use tools with these principles built-in. For instance, Sigstore has transparency as a fundamental component, and uses TUF to manage its own root of trust, ensuring that if the worst were to happen, the project can safely recover.