@jerry are they not using a hardware security module to hold the key?
“Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).”
The write up never mentions HSM so I assume not…
Having keys like this on regular systems (even is supposedly secured) is bonkers.