X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; q=dns; s=default; b=uytKN3mui33MpYAW d82cYrupUSjfE4QETHqur8h3r5hJSr9ZwIqmxqh8HgaeFbp1yDwzB47pNBosuzHy XgdA8y/t5qD+yeJngpG3IPGVOqcHIAsRJqb/APGPh1BlShO7GCb4nBMIlfAZNZOM wqaUZTJas3oCon6ZgmBRfaeFogs= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; s=default; bh=wOfHOY94Psu9/Q915LgcZy mINbw=; b=VdKYItVmZit+Y8q2m7+mL4CcutdE/InDk/ytTB67MDdwbLxNf9c7Eu 8cPa5xxCcXXt3FBRSHXydfMHH/IjdMuIt2LaU1uPrufwshfeRyfI1Hh+8A3izABE VFfR6H7NN6QSXDkwRXCC8MV2U/6XADR4JgyRuXRwHIcdObAI9bIuA= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=2.2 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.2 spammy=H*F:D*yandex.ru, H*x:Bat!, H*UA:Bat!, warned X-HELO: forward2m.cmail.yandex.net Authentication-Results: smtp1h.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Date: Wed, 17 Aug 2016 21:34:05 +0300 From: Andrey Repin Reply-To: cygwin@cygwin.com Message-ID: <441019555.20160817213405@yandex.ru> To: lloyd.wood@yahoo.co.uk, cygwin@cygwin.com Subject: Re: Cygwin's installation and security models? In-Reply-To: <2144740387.26033819.1471429498939.JavaMail.yahoo@mail.yahoo.com> References: <1740128398.25713364.1471398599819.JavaMail.yahoo.ref@mail.yahoo.com> <1740128398.25713364.1471398599819.JavaMail.yahoo@mail.yahoo.com> <2144740387.26033819.1471429498939.JavaMail.yahoo@mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Greetings, lloyd.wood@yahoo.co.uk! > Specifically, when I launch Cygwin's setup.exe, I am warned: > "Do you want to allow this app from an unknown publisher to > make changes to your system?" This is a generic warning suggesting to double-check your actions. > That code could be anything. I think that means that > if your website gets hacked, and the setup binaries > get replaced, everyone is in trouble. Compare with the > recent Classic Shell hack where not having a signed > installer was, at least, a warning. > http://www.bleepingcomputer.com/news/security/audacity-and-classic-shell-download-server-hacked-by-pegglecrew-/ > I'd expect the app to be signed Signed by whom? > and generate a UAC prompt saying it was signed by Redhat or similar. I can fake such a signature in under 30 seconds. All this "signing" tests is that the signature is correct and the content hash is matching the signature. Period. If anything, I see this warning as a good reason to go on a search to check the credibility of your download yourself. And that is what really matters, instead of blindly trusting the pretty images. For additional info, you can start reading from http://sourceware.org/ml/cygwin/2015-04/msg00049.html , and consider the http://sourceware.org/ml/cygwin/2015-03/msg00119.html . P.S. Just in case I'm not confusing you with someone else: This mailing list is in "no top posting, please, thank you" mode. -- With best regards, Andrey Repin Wednesday, August 17, 2016 21:18:58 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple