Odd details in the warning about the unauthenticated blob

[exoosh]

Quote:

You should consider using asymmetrical encryption for the data you put in the blob, such that the executable contains the public key to decrypt the data. Basically, be VERY careful.

If it said you should use that for signing and the public key for verification I'd understand. Perhaps that was even meant. But how do you decrypt something using a public key in such a scenario? I am not aware of any method that does that.

To the best of my knowledge you use the public key to encrypt against or validate a signature, the private key to decrypt or sign.

Could you elaborate on what is meant by the warning?!

[mtrojnar]

I agree. This sentence (added in https://github.com/mtrojnar/osslsigncode/commit/afd5c5177dc193e72fc03f48acc379bae2888237) indeed doesn't make sense, and it should be removed.