X-Recipient:	archive-cygwin AT delorie DOT com
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.1 sourceware.org E2A963858D28
Authentication-Results:	sourceware.org; dmarc=none (p=none dis=none)
	header.from=SystematicSw.ab.ca
Authentication-Results:	sourceware.org;
	spf=none smtp.mailfrom=systematicsw.ab.ca
X-Authority-Analysis:	v=2.4 cv=IfaU5Ema c=1 sm=1 tr=0 ts=61ce39af
	a=T+ovY1NZ+FAi/xYICV7Bgg==:117 a=T+ovY1NZ+FAi/xYICV7Bgg==:17
	a=IkcTkHD0fZMA:10 a=w_pzkKWiAAAA:8 a=TImcKGuyeGIbufSLrCcA:9 a=QEXdDO2ut3YA:10
	a=WK-i71OpKu4A:10 a=sRI3_1zDfAgwuvI8zelB:22
Message-ID:	<73fb3666-c8cf-8a90-3717-51af6165f71a@SystematicSw.ab.ca>
Date:	Thu, 30 Dec 2021 15:58:54 -0700
MIME-Version:	1.0
User-Agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
	Thunderbird/91.4.1
Subject:	Re: Unable to Verify 64 bit Installer on Windows
To:	cygwin AT cygwin DOT com
References:	<CAPwDAhA1mFg9=QkU6OU_1BFC_Sz500yJ2+YpQgzf1p-i2Lyabw AT mail DOT gmail DOT com>
From:	Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Organization:	Systematic Software
In-Reply-To:	<CAPwDAhA1mFg9=QkU6OU_1BFC_Sz500yJ2+YpQgzf1p-i2Lyabw@mail.gmail.com>
X-CMAE-Envelope:	MS4xfCywXN2xOE/TNJKmBANa9Btn5t/GgA2Xha2x4+gjqrrG33M9lLO+L2cf9stIB0nuHo4OOPZ+BqcjYuXoTH7S2tJPTDWwqrS7BiAXbnl2K3sBFkpH0Y5j
	kZSZ2ojc1tN/8CWwl5WXIPT41Rna+KOPpB3cdTfP2iMhEoM2lP+VrxeedJCxyD4iD3FLjV5tqIM+uUwAbzF2Tc+ohs/xg3clc3E=
X-Spam-Status:	No, score=-1164.5 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
	KAM_LAZY_DOMAIN_SECURITY, KAM_LOTSOFHASH, NICE_REPLY_A,
	RCVD_IN_BARRACUDACENTRAL, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE,
	TXREP autolearn=no autolearn_force=no version=3.4.4
X-Spam-Checker-Version:	SpamAssassin 3.4.4 (2020-01-24) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.29
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
Reply-To:	cygwin AT cygwin DOT com
Errors-To:	cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>

On 2021-12-30 14:24, Greg Williamson wrote:
> While attempting to verify the installer found here:
> https://cygwin.com/install.html
> 
> GPG verification for "setup-x86_64.exe" failed with "BAD signature from
> "Cygwin <cygwin AT cygwin DOT com>". I also created a SHA512 hash of the installer
> and it did not match the one posted here:
> https://cygwin.com/sha512.sum

Did you perhaps download and rename the test setup 2.910 release?

It's normally best to post commands and output verbatim.

Sometimes you may have to manually run gpg2 --update-trustdb.

> As a sanity check I attempted to verify the 32bit version "setup-x86.exe".
> The SHA512 matched and the GPG signature verification succeeded.

Were the keys used the same as for x86_64?

> I thought I'd report here in case there was a security issue. Thank you in
> advance for your assistance!

All look good to me:

$ gpg2 --verify ~/mirror/x86/setup.xz{.sig,}
gpg: Signature made 2021 Dec 23 Thu 04:14:40 MST
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin AT cygwin DOT com>" [full]
$ gpg2 --verify ~/mirror/x86/setup.ini{.sig,}
gpg: Signature made 2021 Dec 23 Thu 04:14:28 MST
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin AT cygwin DOT com>" [full]
$ gpg2 --verify ~/mirror/x86/setup-x86.exe{.sig,}
gpg: Signature made 2021 Jul 15 Thu 05:59:50 MDT
gpg:                using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin AT cygwin DOT com>" [full]
gpg: Signature made 2021 Jul 15 Thu 05:59:50 MDT
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin AT cygwin DOT com>" [full]
$ cd ~/mirror/x86/ ; sha512sum --check --ignore-missing sha512.sum
setup.ini: OK
setup.ini.sig: OK
setup.xz: OK
setup.xz.sig: OK
setup-x86.exe: OK
$ gpg2 --verify ~/mirror/x86_64/setup.xz{.sig,}
gpg: Signature made 2021 Dec 12 Sun 15:14:43 MST
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin AT cygwin DOT com>" [full]
$ gpg2 --verify ~/mirror/x86_64/setup.ini{.sig,}
gpg: Signature made 2021 Dec 12 Sun 15:14:31 MST
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin AT cygwin DOT com>" [full]
$ gpg2 --verify ~/mirror/x86_64/setup-x86_64.exe{.sig,}
gpg: Signature made 2021 Jul 15 Thu 06:05:58 MDT
gpg:                using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin AT cygwin DOT com>" [full]
gpg: Signature made 2021 Jul 15 Thu 06:05:58 MDT
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin AT cygwin DOT com>" [full]
$ cd ~/mirror/x86_64/ ; sha512sum --check --ignore-missing sha512.sum
setup.ini: OK
setup.ini.sig: OK
setup.xz: OK
setup.xz.sig: OK
setup-x86_64.exe: OK

I've concatenated the downloaded cygwin.com and mirror arch sha512.sum.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -