Mail Archives: cygwin/2016/09/28/22:05:23

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2016/09/28/22:05:23

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:subject:to:references:from:message-id:date

:mime-version:in-reply-to:content-type

:content-transfer-encoding; q=dns; s=default; b=CRqy7gYp9JmWnb5l

MCjYFcP33m7oB/XFTqcIMgpISyZohgXtdFnaBnLQoU+Bqsee85zO9lkTrhnTOJiq

aWaht/2MsV5vd16vTsXrlUR+G2aBu3LzTUUfUhLp3q42tpuo9x162269XRnjT5r6

pRsBBnG0KPnkn+DVxcsbbLE0AFM=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:subject:to:references:from:message-id:date

:mime-version:in-reply-to:content-type

:content-transfer-encoding; s=default; bh=VoV5YePaAf4oYiY/SjvyZz

3ESDE=; b=ebCKDACs6UsTSe/z3Gv8YvAFdzf9t1dCeNJV9z62cRRJM9RaFiSrjf

/XeY5G3hg6xofEwDdubS171DJ5oEmZdLuuafn0dZx9inxoK4YB3DNX9bUQuwqmXV

KP1obQlX+naIJr9fVMber+XXF6+z39uRpffy0bcr5QbXQxlgcuhwI=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=0.4 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=ham version=3.3.2 spammy=Wayne, attack, herbert, H*r:Nemesis

X-HELO: mout.gmx.net

Subject: Re: URGENT: BAD signature from "Cygwin <cygwin AT cygwin DOT com>"

To: cygwin AT cygwin DOT com

References: <B0BF22335C47694D8CF77683CF7C809C8451E464 AT TWHQ-MAIL1 DOT trellisware DOT com> <20160928210553 DOT GA12532 AT hdmetxxxx33004g DOT AD DOT UCSD DOT EDU>

From: Herbert Stocker <hersto AT gmx DOT de>

Message-ID: <57EC76BB.9050503@gmx.de>

Date: Thu, 29 Sep 2016 04:04:43 +0200

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.1.0

MIME-Version: 1.0

In-Reply-To: <20160928210553.GA12532@hdmetxxxx33004g.AD.UCSD.EDU>

X-UI-Out-Filterresults: notjunk:1;V01:K0:3Ggf2yw44y4=:bS6Q47Z20jBBSakYBl6eiZ ACdieegyipfyl8HZMC5SzePg7N3MQ9ywDUhCsSW0vDbkKwflQGdHUzETcB+aXwKiW9tMV2ZBj iSx4oRZc0Zu9RC19ipSv9e6ZMClnHAe3qFta4X2VkIbPvJwFL4fthgKTrnb9qI1DNM4Zw9Iin 5J98RtcXYu97zAiLAN1YanV9QL8CUcHcGqlL4bKl+GEu3xkgoOT187lG1Bf83TsDLqmGBG+W7 OWEw6DwauSeCn3o9I27M0/5s9s0myPY+EUAbRT5ZRqthnaYgKDIQJ6OM8fFDeYrS4Pw4lTS1W Sun9lNmGi3lWuD92Cd/W7sWW0TZqelsU3DJ56CkbK5wvGLweNk6H6wxxuQ6EEuGOrtiLouP+U JkgJ0aSFVNtJ30ZFvdmiLTf8w3CrTr5E7U6+wsatK4YLjKigjhoK9wqsqE8YrwPu1XtPKVtRe ZYElXD8YnXY/mUKOzkSF6IiUNgXH0yqUbalzR8A1jEn3r9iuUE7w5VNHX3RaiqFRd0X2t1CE/ V4y5+VVjLsYW/VBUYmRm+GxJAt+Ac9g7fbDNzu28pdxl/alaO1nR6naWJpik4TCJ4rPi5YCiq aeefmrD4MBXPRjy5RfDNTOnqpTRSOWPInTt7FdqU/EChr0eAYSQzDKcABjOek9mxHxTUmvciO pyTL7D0X8UIGJ6PnpNrRFQbo3Um9P/1Rk9qXEQw/dEkGwBnZ0KW6mDLC1R0aaRsedUqA+b1DJ Z9qGwEPup8606AJeIpqHylPAyqve3yPH+aro/oh862rhvOaVxSunuP4DBZbOHJheTEOeJgIWV XJNebJS

X-IsSubscribed: yes

Hi,

On 28.09.2016 23:05, Wayne Porter wrote:
> On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote:
>> gpg --verify setup-x86.exe.sig setup-x86.exe
>> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
>> gpg: Good signature from "Cygwin <cygwin AT cygwin DOT com>"
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:          There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA
>
> This appears to be a good signature, just that the key is untrusted. Someone
> else correct me if I'm wrong, but that is typical to see, at least for me.

But doesn't it mean that anybody who manages to hack into your web
server, or who does a man in the middle attack on the HTTP (without S)
connection, is able to replace the setup-x86.exe by a malicious one
and to also provide a corresponding setup-x86.exe.sig, so that the gpg
output will be "good signature but untrusted key"?

my 2 cents.

Herbert


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=CRqy7gYp9JmWnb5l
	MCjYFcP33m7oB/XFTqcIMgpISyZohgXtdFnaBnLQoU+Bqsee85zO9lkTrhnTOJiq
	aWaht/2MsV5vd16vTsXrlUR+G2aBu3LzTUUfUhLp3q42tpuo9x162269XRnjT5r6
	pRsBBnG0KPnkn+DVxcsbbLE0AFM=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=VoV5YePaAf4oYiY/SjvyZz
	3ESDE=; b=ebCKDACs6UsTSe/z3Gv8YvAFdzf9t1dCeNJV9z62cRRJM9RaFiSrjf
	/XeY5G3hg6xofEwDdubS171DJ5oEmZdLuuafn0dZx9inxoK4YB3DNX9bUQuwqmXV
	KP1obQlX+naIJr9fVMber+XXF6+z39uRpffy0bcr5QbXQxlgcuhwI=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=0.4 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=ham version=3.3.2 spammy=Wayne, attack, herbert, H*r:Nemesis
X-HELO:	mout.gmx.net
Subject:	Re: URGENT: BAD signature from "Cygwin <cygwin AT cygwin DOT com>"
To:	cygwin AT cygwin DOT com
References:	<B0BF22335C47694D8CF77683CF7C809C8451E464 AT TWHQ-MAIL1 DOT trellisware DOT com> <20160928210553 DOT GA12532 AT hdmetxxxx33004g DOT AD DOT UCSD DOT EDU>
From:	Herbert Stocker <hersto AT gmx DOT de>
Message-ID:	<57EC76BB.9050503@gmx.de>
Date:	Thu, 29 Sep 2016 04:04:43 +0200
User-Agent:	Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version:	1.0
In-Reply-To:	<20160928210553.GA12532@hdmetxxxx33004g.AD.UCSD.EDU>
X-UI-Out-Filterresults:	notjunk:1;V01:K0:3Ggf2yw44y4=:bS6Q47Z20jBBSakYBl6eiZ ACdieegyipfyl8HZMC5SzePg7N3MQ9ywDUhCsSW0vDbkKwflQGdHUzETcB+aXwKiW9tMV2ZBj iSx4oRZc0Zu9RC19ipSv9e6ZMClnHAe3qFta4X2VkIbPvJwFL4fthgKTrnb9qI1DNM4Zw9Iin 5J98RtcXYu97zAiLAN1YanV9QL8CUcHcGqlL4bKl+GEu3xkgoOT187lG1Bf83TsDLqmGBG+W7 OWEw6DwauSeCn3o9I27M0/5s9s0myPY+EUAbRT5ZRqthnaYgKDIQJ6OM8fFDeYrS4Pw4lTS1W Sun9lNmGi3lWuD92Cd/W7sWW0TZqelsU3DJ56CkbK5wvGLweNk6H6wxxuQ6EEuGOrtiLouP+U JkgJ0aSFVNtJ30ZFvdmiLTf8w3CrTr5E7U6+wsatK4YLjKigjhoK9wqsqE8YrwPu1XtPKVtRe ZYElXD8YnXY/mUKOzkSF6IiUNgXH0yqUbalzR8A1jEn3r9iuUE7w5VNHX3RaiqFRd0X2t1CE/ V4y5+VVjLsYW/VBUYmRm+GxJAt+Ac9g7fbDNzu28pdxl/alaO1nR6naWJpik4TCJ4rPi5YCiq aeefmrD4MBXPRjy5RfDNTOnqpTRSOWPInTt7FdqU/EChr0eAYSQzDKcABjOek9mxHxTUmvciO pyTL7D0X8UIGJ6PnpNrRFQbo3Um9P/1Rk9qXEQw/dEkGwBnZ0KW6mDLC1R0aaRsedUqA+b1DJ Z9qGwEPup8606AJeIpqHylPAyqve3yPH+aro/oh862rhvOaVxSunuP4DBZbOHJheTEOeJgIWV XJNebJS
X-IsSubscribed:	yes