hardware tokens and malware threats (was: gpg4win expired code signing cert; please renew.)
Jacob Bachmeyer
jcb62281 at gmail.com
Sat Oct 18 04:48:14 CEST 2025
On 10/17/25 19:03, Jay Acuna via Gnupg-users wrote:
> [...]
>
> There's no point in mulling over a theoretical subset of attacker who has
> both malware to steal your PQC key and a quantum computer to
> blow up your traditional key.
I see a simple problem here: if an attacker can plant resident malware
on your computer, then that malware can simply wait for you to insert
and unlock your hardware token and then abuse the token to decrypt/sign
messages for the attacker, even if the attacker cannot make off with
your private key itself.
In short, if the malware can steal your key and passphrase, it can also
steal your token PIN and give the attacker access that way.
-- Jacob
More information about the Gnupg-users
mailing list