This is the mail archive of the
mailing list for the Cygwin project.
Re: URGENT: BAD signature from "Cygwin <cygwin at cygwin dot com>"
On 28.09.2016 23:05, Wayne Porter wrote:
On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote:
gpg --verify setup-x86.exe.sig setup-x86.exe
gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
gpg: Good signature from "Cygwin <email@example.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
This appears to be a good signature, just that the key is untrusted. Someone
else correct me if I'm wrong, but that is typical to see, at least for me.
But doesn't it mean that anybody who manages to hack into your web
server, or who does a man in the middle attack on the HTTP (without S)
connection, is able to replace the setup-x86.exe by a malicious one
and to also provide a corresponding setup-x86.exe.sig, so that the gpg
output will be "good signature but untrusted key"?
my 2 cents.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple