This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: PGP signatures for packages?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From: "Charles Wilson" <cwilson@ece.gatech.edu>
> Currently, setup.ini contains md5 hashes for each tarball.  The released 
> version of setup.exe successfully ignores those md5's, but the HEAD will 

Doh! I should have noticed that.  That's great!

If the "setup.exe" and "setup.ini" files were signed, I could
complete the verification manually.

> "Wouldn't it be great if maintainers signed their packages with GPG?"

Yes and no (in reverse order below):

As a consumer of the collected binaries, I'd rather have signatures
from the Cygwin team (that is, whoever builds "setup.ini"), especially
if I'm going to do the verifications myself.  I don't know who the
legitimate developer(s) might be for each package.  That information
(e.g., the key fingerprints) would have to be included in the
"setup.ini" file for *either* automatic or manual verification.
(If the package owners aren't properly identified, through the
initialization file, key certifications, or the like, then anyone
could generate a key and sign a bogus version of a package.)  I'm
already trusting the provider of the "setup.exe" binary -- I'd rather
have everything signed by the one key of that provider.

Now, the Cygwin team might well benefit from individual maintainers
signing their packages.  This could make it to reliably pick up
source/binaries from the maintainers, and to build a legitimate
"setup.ini" file.  (As a consumer of the binaries, I might be comforted
knowing that such a process is in place, but ultimately, I'm trusting
whoever is putting it all together, not just the individual maintainers.)

> "Well, setup.exe would need to verify them"

Perhaps.  As I hinted above, if the "setup.ini" file itself is
signed, then the MD5 hashes are fine.

Even more importantly, I'd love to be able to verify the "setup.exe"
file.  If someone is able to compromise a mirror and install a
bogus "setup.exe", then all of this checking is for naught.

Since I need to verify "setup.exe" manually, I'd be quite willing to
verify one more file ("setup.ini").

Another means of protecting these two files would be to vend them
directly from "www.cygwin.com" over HTTPS.  I tried doing the
obvious URL transformation to retrieve "setup.exe", but that
failed.  (I also looked for an Authenticode signature on that
binary, but that wouldn't work for the data file, and I can
understand why this wouldn't be a popular approach in the GNU
community :-).  HTTPS is even more end-user-friendly, but
GPG signatures are cheaper (and may even be safer if the private
keys are kept offline).

So, how would the Cygwin team feel about GPG-signing just these
two files?

Thanks for your consideration (and for the quick response to my
first query).



-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBPOSUhFMkvpTT8vCGEQJeVQCeKnNB2H77vTYxn/e6mk8wRd1UsXgAoIKj
eA2NI+JgiWY1PReGYUymBBH7
=7nCA
-----END PGP SIGNATURE-----



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]