alt Hacker NewsAuto Update is EVERYTIME a RCE. When the software checks a signature, you just need the key. And the delivering enterprise have the key. EVERYTIME.
Don't understand why most people mean auto updating software would in any way create more security. It just creates more attack vectors for every software that has a auto updater.
Remote Code Execution (RCE) is a type of vulnerability. Intentionally running code from a developer you trust is not a vulnerability.
An auto-update mechanism only becomes an RCE if it allows unauthorized third parties to execute code on your machine by failing to verify that the code comes from a legitimate source.
> you just need the key
Secrecy of cryptographic keys is the basis of all cryptography we use. There's no "just", you need the key and you don't have it.