This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: URGENT: BAD signature from "Cygwin <cygwin at cygwin dot com>"

On 9/28/16, Herbert Stocker wrote:
> Hi,
> On 28.09.2016 23:05, Wayne Porter wrote:
>> On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote:
>>> gpg --verify setup-x86.exe.sig setup-x86.exe
>>> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID
>>> 676041BA
>>> gpg: Good signature from "Cygwin <>"
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg:          There is no indication that the signature belongs to the
>>> owner.
>>> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760
>>> 41BA
>> This appears to be a good signature, just that the key is untrusted.
>> Someone
>> else correct me if I'm wrong, but that is typical to see, at least for
>> me.
> But doesn't it mean that anybody who manages to hack into your web
> server, or who does a man in the middle attack on the HTTP (without S)
> connection, is able to replace the setup-x86.exe by a malicious one
> and to also provide a corresponding setup-x86.exe.sig, so that the gpg
> output will be "good signature but untrusted key"?

Only if you don't already have a key saved:
  if [ $(gpg --list-keys | grep -c '') != 1 ]
    gpg --import ${DESTINATION}/pubring.asc

altho checking for exactly one instance instead of an instance seems doubtful.

On the other hand, I didn't even know setupXXX.exe was signed so I
haven't been checking at all :(

It'd be nice if someone could add a signature + public key link on the
front page instead of having to click thru the "fresh install" or
"update" link to find out there's signatures available.


Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]