Essentially, yes. And that means duping a developer into adding your code someho... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		smileybarry on Oct 24, 2023 \| parent \| context \| favorite \| on: 1Password detects "suspicious activity" in its int... Essentially, yes. And that means duping a developer into adding your code somehow, since builds are digitally signed with a hardware token.

dzikimarian on Oct 24, 2023 [–]

Or supply chain attack

smileybarry on Oct 24, 2023 | [–]

But that requires it to be present before the build is signed, ergo, early in the supply chain. Otherwise, the signature breaks and the build isn’t trusted for the rest of it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact