delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2015/04/09/09:06:01

X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:message-id:date:from:reply-to:mime-version:to
:cc:subject:references:in-reply-to:content-type
:content-transfer-encoding; q=dns; s=default; b=r7VHKKpkGhNHODW2
xL8uhcnI6dtCBfzzhlmImC/hJ6moidr+kEWReUnqXaaFT6pEpXZ6RjlLCj3pDCPd
2NfXoN1lKFBExQxWiRwncRE7s795ZOBKFotHJJ8gO75p+dRdj0zZT1Q0LC/nkv/v
KXFB7DLOj6WRuObG2W3GRRUcjL8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:message-id:date:from:reply-to:mime-version:to
:cc:subject:references:in-reply-to:content-type
:content-transfer-encoding; s=default; bh=r36IWsa4VgoYn6X2WoJQ5W
zoc+A=; b=XI3/unvfaFfhV3xKH3eTbu8AFEEaQQhvjtciLNPpfhZXX5MB/UsBdl
N2JC6XA9xYl8OqaByHpv6h9Sk53+WgdtyDywLQ3eqatejc9gRK5Y6FqChOzteK1g
HxtDBUBm/P0hvdbhHhFADmdvGnPMdyRILjrVLshqc+LEeRkmgYq2U=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.0 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2
X-HELO: out4-smtp.messagingengine.com
Message-ID: <55267923.7070601@dronecode.org.uk>
Date: Thu, 09 Apr 2015 14:05:39 +0100
From: Jon TURNEY <jon DOT turney AT dronecode DOT org DOT uk>
Reply-To: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
CC: dwheeler AT dwheeler DOT com
Subject: Re: Should cygwin's setup*.exe be signed using Sign Tool?
References: <E1Ydjc5-0000kv-WD AT rmm6prod02 DOT runbox DOT com>
In-Reply-To: <E1Ydjc5-0000kv-WD@rmm6prod02.runbox.com> 

On 02/04/2015 19:13, David A. Wheeler wrote:
> Running setup*.exe produces "Publisher: Unknown publisher", and it's doubtful that many people check the signature of the .exe file before running.  Even if they did, there's the problem that the signature comes from the same place.
>
> Has Cygwin considered signing the installer using Sign Tool? More info:
>    https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx
>    http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/
>
> I believe signing it this way would eliminate the "unknown publisher"; it would also protect the many people who don't follow the current signature-checking process.  This would create a strong barrier against code subversion after release.
>
> The signed executable could also be signed using the current process, so you don't need to *eliminate* any capability.  I can't provide a patch to do this, obviously :-).

I don't think this is obvious at all.  You can't provide the 
certificate, but you can provide a patch.

However, saying "install Windows SDK, use signtool" is not a solution, 
for reasons already discussed.

The actual work that needs to be done here is to identify an alternative 
open source signing tool and how to use it.

It would be nice to have such a tool packaged for cygwin, as that would 
allow people to sign any MinGW-w64 executables they make...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019