Let's say they update the hardware to include a new public key. They now have the issue that existing signatures don't verify properly. You can mitigate this by having a list of existing valid signatures which can use the old key, but that can't be the best way. Can anyone come up with another?
I don't see why that wouldn't be the best way. How many signatures would there be to check? A couple of thousands?
I do not know how firmware gets signed on PS3, but an alternative could be that all software already is signed with a second key. If so, having new firmware check for that key would close the hole. If they used the same broken algorithm, not for long, though.
That seems like a perfectly good solution to me. Storing a hash of each signature is say 256 bytes and supposing an upper limit of 10,000 signatures, the database file is pretty small. (Better hope they sign the signature database though)
We'd still be able to decrypt the updates and look for holes, or if you have the hardware, just flash your hacked update on the PS3. (We have metldr keys, so we can sign our own loaders)
You'd be able to decrypt updates signed for old hardware, yes. You wouldn't be able to directly reflash new PS3s, though, which is a huge improvement for them.
