Mail Archives: cygwin/2002/05/17/00:11:55
Michael Young wrote:
> Are signatures available for the setup program, or for the packages it
> downloads?
> RPM uses GPG signatures, but I can't find anything comparable for the Cygwin
> binaries. Even just a list of hashes would be worthwhile (ideally vended from
> a secure Cygwin/Redhat web page) to verify that a mirror (or download) hasn't
> been corrupted. Real PGP signatures would be better. I can live without tool
> support -- I can do the verifications manually, but only if I can find the
> signatures :-).
>
> I saw a note back in December
> (http://sources.redhat.com/ml/cygwin/2001-12/msg00950.html)
> that touched on this, but I couldn't find any followup. Did this wither on the
> vine?
Currently, setup.ini contains md5 hashes for each tarball. The released
version of setup.exe successfully ignores those md5's, but the HEAD will
verify the downloaded tarballs against the hash (this may not yet be
working...)
There was another, more recent thread (somewhere, I can't find it) where
the following idea was kicked around:
"Wouldn't it be great if maintainers signed their packages with GPG?"
"Well, setup.exe would need to verify them"
"So link against libgpg!"
"Two problems: #1) libpgp isn't part of the cygwin distribution yet, and
#2) even if it was, we'd need a native (mingw) version, not a cygwin
version, since setup.exe is a mingw program. But we need, in addition,
a cygwin version of the gpg tools, so that maintainers who build their
cygwin packages on a cygwin host can do the signing..."
So:
1) md5 hash verification coming soon
2) GPG signing/verification waiting on two things (three, actually):
a) official cygwin package(s) for GPG and its libraries
b) a mingw port of the GPG libraries
c) hooks added to setup.exe to use the mingw-GPGlib.
Any volunteers for (a) or (b)?
--Chuck
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -