Re: Signed updates
What the report (or SolarWinds) doesn't mention is how the binaries were signed.
Where I work, I'm the one who worked out our signing process. We use a HSM, very limited access, and the access tokens are valid for a short window. For our system, basically the final binaries would have to be swapped out at the final stage of the build, before the signing happens. Possibly feasible, but the binary would have to also match the development-release binary, too.
Using a HSM means the private signing key can't be exported, so it's at least locked to that box. The limited access means that the account of the authorized individual would have to be compromised, which is, of course, feasible. There are a number of checks of the final signed binary before release, so that cuts down on the probability that a rogue binary would be delivered to customers.
Could a nation-state hack us? Possible. It's just a question of what windows of opportunity in the process are open, and how to shut as many of them as possible.