On Mon, Oct 01, 2012 at 01:30:23PM -0700, Lee Fisher wrote: > FYI > > -------- Original Message -------- > Subject: [DC206] Adobe code-signing cert compromised from an HSM > Date: Mon, 1 Oct 2012 12:13:43 -0700 > From: Duane Blanchard <[email protected]> > To: [email protected] > > One of Adobe's code-signing certs was compromised from a physically > secure HSM last week.
I am not aware of any reporting that supports this claim. Adobe claims that malware on their build infrastructure submitted 3 hashes to the HSM for signature and the resulting signed malware was used in the wild, but Adobe asserts that the private key was not extracted from the HSM and that their HSM audit logs are not compromised. I do not know of any public evidence (nor any statements that anyone has seen non-public evidence) that the key was extracted. Can you back up your claim that the signing key was compromised? -andy
