Bottom line: if FBI/DoJ can strongarm Apple into electronically signing malware, then we have entered into a truly new imperial era, where trillion-dollar companies can be rubber-hosed into misusing their private crypto keys.
No amount of technology, per se, can prevent this particular MITM attack. We're now going to have to have multiple keys from multiple "trusted" sources prior to accepting a firmware update. Forget visiting Switzerland or the Cayman Islands for access to $$$; you may now have to physically go there to get your iPhone securely updated.
See this is a problem. All this trust in single entities, singular and closed systems you keep needing to place. Why in the fuck do you keep doing this? You compute hardware should be completely open. You compute software should be completely open. You should fuse your own keys into your own hardware for software builds you reproducibly build sign and install yourself from distributed opensource software. Open designs, open fabs, open products, open source. You are NOT going to solve these problems without it. And quit crying profit... the work of your plumber is all in the open and profitable. Or quality... all quality is currently shit, but at least you stand a chance of seeing the flies on it if it's open.
I'm sure that Microsoft/HP/Dell are looking upon these proceedings with mixed feelings, as I suspect that they've *already* provided their code-signing keys to the govt
Like all those call and other data... just for the asking, thus retroactive immunity for them, thus rolled up for absorption and enacted by an unaccountable government.
-- perhaps under FISA NSL -- or perhaps out of a misplaced sense of patriotism.
These two are one and the same.
Apple's digital signature is tied to their credible responsibility that software they sign is theirs
Yes it's theirs, which they can fuck you with at any time... because you trusted them, oops.
and in the best interest of their customers and Apple's business.
These are in tenacious conflict.
As a minimum the existence of compelled software lays waste to the EULA.
Shrinkwrap hardware / software EULAs offer you nothing concrete, trustworthy, or compensatable. All to them, none to you. Negotiated contracts are different but just as tricky.