I assume anyone can with some effort add their certificate under name X to their database, in that case, is there anything stopping a fake publisher from adding themselves with the name of a legit publisher and the signature saying it's from legit X?
Asked
Active
Viewed 98 times
1 Answers
0
Yes, there is.
To be accepted, a certificate must be issued by a known Certificate authority (CA).
Any known CA will not issue a certificate without the demand being supported by respectable documentation as to the identity of the person or entity behind the demand. It will certainly not issue a duplicate certificate.
Fake certificates did happen in the past, but that has required a very lax CA (which is usually then blacklisted and all its certificates revoked) or a corrupt employee in a known CA.
See also Root certificate.
harrymc
- 455,459
- 31
- 526
- 924
-
Some nation-state level attacks (like true espionage stuff) have involved forged or stolen or cracked certificates used for software signing and distribution, but that is well out of reach for your standard malware. – Frank Thomas Apr 21 '22 at 19:50