Did you know: when you verify the signature on a digest, you should probably verify that the presented content (that the digest is supposedly of) actually hashes to the same value as the signed digest?
I’m just increasingly disgusted that it seems like the majority of developers are just collectively drugged, high, intoxicated, or some combination thereof, because I don’t understand how I keep stumbling into these things when I’m not even trying to pentest anything. Worse is that this is in a library that people are just blindly importing and trusting.