>Bad news: Dell is posting unsigned update executables to their website labeled “critical” which then fail to install due to the good news<p>If I were a hacker with no access to the signing keys, I'd probably label my updates as critical too, so you would try to find a way around the update signing.
yesterday they were also serving a update catalog index that did not match it's signature
<a href="https://downloads.dell.com/catalog/CatalogIndex.gz" rel="nofollow">https://downloads.dell.com/catalog/CatalogIndex.gz</a> // <a href="https://downloads.dell.com/catalog/CatalogIndex.gz" rel="nofollow">https://downloads.dell.com/catalog/CatalogIndex.gz</a> -- but that was fixed after I complained<p>and their idrac based firmware updater downloads http(s)://downloads.dell.com/Catalog/Catalog.xml.gz without checking the signature -- and by default without verifying https certificates when using https :D
Wow that’s almost as bad as Firefox five years ago … except this probably doesn’t compromise privacy addons that will get someone killed.<p><a href="https://hacks.mozilla.org/2019/05/technical-details-on-the-recent-firefox-add-on-outage/" rel="nofollow">https://hacks.mozilla.org/2019/05/technical-details-on-the-r...</a>
Or the upload to their CDN was truncated or corrupted, and the signature check worked as designed.<p>But let's not let an opportunity to paint Dell as some evil yet incompetent corporation slip through our fingers.