Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <3CE4821A.3050102@ece.gatech.edu>
Date: Fri, 17 May 2002 00:07:54 -0400
From: Charles Wilson <cwilson AT ece DOT gatech DOT edu>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc2) Gecko/00200205
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Michael Young <mwy-ltua AT the-youngs DOT org>
CC: cygwin AT cygwin DOT com
Subject: Re: PGP signatures for packages?
References: <000501c1fd52$a512c1a0$c23fa8c0 AT transarc DOT ibm DOT com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-milter (http://amavis.org/)

Michael Young wrote:
> Are signatures available for the setup program, or for the packages it
> downloads?
> RPM uses GPG signatures, but I can't find anything comparable for the Cygwin
> binaries.  Even just a list of hashes would be worthwhile (ideally vended from
> a secure Cygwin/Redhat web page) to verify that a mirror (or download) hasn't
> been corrupted.  Real PGP signatures would be better.  I can live without tool
> support -- I can do the verifications manually, but only if I can find the
> signatures :-).
> 
> I saw a note back in December
> (http://sources.redhat.com/ml/cygwin/2001-12/msg00950.html)
> that touched on this, but I couldn't find any followup.  Did this wither on the
> vine?

Currently, setup.ini contains md5 hashes for each tarball.  The released 
version of setup.exe successfully ignores those md5's, but the HEAD will 
verify the downloaded tarballs against the hash (this may not yet be 
working...)

There was another, more recent thread (somewhere, I can't find it) where 
the following idea was kicked around:

"Wouldn't it be great if maintainers signed their packages with GPG?"
"Well, setup.exe would need to verify them"
"So link against libgpg!"
"Two problems: #1) libpgp isn't part of the cygwin distribution yet, and 
#2) even if it was, we'd need a native (mingw) version, not a cygwin 
version, since setup.exe is a mingw program.  But we need, in addition, 
a cygwin version of the gpg tools, so that maintainers who build their 
cygwin packages on a cygwin host can do the signing..."

So:
1) md5 hash verification coming soon
2) GPG signing/verification waiting on two things (three, actually):
   a) official cygwin package(s) for GPG and its libraries
   b) a mingw port of the GPG libraries
   c) hooks added to setup.exe to use the mingw-GPGlib.

Any volunteers for (a) or (b)?

--Chuck


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/