DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 543Ji9gc3820495
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 543Ji9gc3820495
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=jdLkGy1n
X-Recipient: archive-cygwin@delorie.com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 808543858406
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1746301448;
	bh=+fxqYAjpse+yuY93tSimCN4IhIa+hftujxzNk/DhkW4=;
	h=Date:To:Subject:In-Reply-To:References:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	 From;
	b=jdLkGy1nwmcP3Vp5QWAEvASo2uonYdhBeiLB17edZSpSA5okFEzOcAOcMcU0kQnLx
	 zoKZXZAau3s2gfFCriNJvWEMftP8U2Hb07byJ4YykayppODoHvmRcD4A9RYbX5EhED
	 0xXfIYO76oyOaWeT68uYiW7odvHJ/5dnA+/JJfIw=
X-Original-To: cygwin@cygwin.com
Delivered-To: cygwin@cygwin.com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 09D343858D35
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 09D343858D35
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1746301423; cv=none;
 b=c+gZc+AaJ0PyhqC+TQ6ty3TyFCcHe9F0OhUxSh6ksNS2jkaxWGLReZtQZ4oPHr+sqwd85l1HjCyer2Q6Hag8ebh8J0sspGietTC+9ND1yFdXDK69bhsPZrPx7b6pkXwDIWJqInPWM+R1e8GW0dKjuTC3ntHi4PEkKewMjSApWf4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1746301423; c=relaxed/simple;
 bh=RQfO4VIALzGxeJrDmIuBJzqb5TVnTjanhdgZh5FrRg0=;
 h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version;
 b=AtErVpWwOFoorvfpnLDS3ha/SCl0QQism8R/Q0+Zgk6WggKnXtsLgjWHxUHFhoskLhlhGpAEzJI1Fiwej9J3rNdrcrBHFAgzu+F6+J2NaajihJA19HYGa3216llXctL6cVqsMmrxK22xZ3fvTBp0LDv4UUPZ9Ij3lbyLT/ZmFD4=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 09D343858D35
Date: Sat, 3 May 2025 12:43:42 -0700 (PDT)
X-X-Sender: jeremyd@resin.csoft.net
To: Brian Inglis via Cygwin <cygwin@cygwin.com>
Subject: Re: Signing cygwin.com binaries with signtool by default ?
In-Reply-To: <5fd86c45-8236-43ce-b259-0e0145dda30f@SystematicSW.ab.ca>
Message-ID: <082cda25-f30a-f3c2-a360-63551c38f904@jdrake.com>
References: <CAKAoaQn=-jVLnrO1hmM_4JAPodO-YnUuw+fcnDScHa=d2G48=A@mail.gmail.com>
 <5fd86c45-8236-43ce-b259-0e0145dda30f@SystematicSW.ab.ca>
MIME-Version: 1.0
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
From: Jeremy Drake via Cygwin <cygwin@cygwin.com>
Reply-To: Jeremy Drake <cygwin@jdrake.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cygwin-bounces~archive-cygwin=delorie.com@cygwin.com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie.com@cygwin.com>

On Sat, 3 May 2025, Brian Inglis via Cygwin wrote:

> On 2025-05-03 12:21, Roland Mainz via Cygwin wrote:
> > Is it somehow possible that the CI+Release binaries (*.exe, *.dll) can
> > be signed with signtool
> > (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)?
>
> No - would break the Cygwin licence terms unless MS releases source!

Huh?!?

> Cygwin supports osslsigncode:
>
> 	https://cygwin.com/packages/summary/osslsigncode-src.html
>
> OpenSSL-based Authenticode signing and timestamping tool
>
> Platform-independent tool for Authenticode signing of PE(EXE/SYS/DLL/etc), CAB
> and MSI files. It also supports timestamping (Authenticode and RFC3161).
>
> That would require our volunteers to find and spend more of their free time to
> integrate the tool into the package build processes, and it would not be
> available until the volunteers find more of their free time once the next
> release of each upstream package becomes available.

It would also require getting an X.509 code signing certificate from a
Microsoft-blessed authority.  AFAIK, these are not free.  I do remember
investigating a service for free signing of open-source binaries (I
believe Vim.org uses it for its Windows binaries), but the requirements
for integrating with the build automation (so they could verify that
binaries weren't tampered with during build) was too onerous for MSYS2 to
consider at the time.

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple