X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=1.9 required=5.0 	tests=BAYES_20,EXECUTABLE_URI,SARE_MSGID_LONG40
X-Spam-Check-By: sourceware.org
MIME-Version: 1.0
In-Reply-To: <66baf7b90905192002s7ab184d2le0f22e987875faad@mail.gmail.com>
References: <66baf7b90905192002s7ab184d2le0f22e987875faad AT mail DOT gmail DOT com>
Date: Tue, 19 May 2009 20:03:47 -0700
Message-ID: <66baf7b90905192003j1071dbe9vad179da6c74905fb@mail.gmail.com>
Subject: Security Concern: setup.exe signature difficult to verify
From: Doug Bateman <doug AT dougbateman DOT net>
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Today, I was downloading cygwin, and discovered how challenging it
really is to verify the authenticity of setup.exe.=A0 Typically there
are 3 ways an executable can be verified:

Method 1) Windows supports signed exe files.=A0 When you first execute
an exe, windows first shows a window allowing you to confirm it's
authenticity.=A0 <This is the most effective and preferred solution on
windows.>
Method 2) Downloading the exe from a trusted site via https. <Slightly
less secure as the connection and not the exe is verified.>
Method 3) Using gnupg to check the .sig provided along with the exe.
<Requires the user already have gpg installed and have access to a
certificate, and has to be checked manually.>

However, I ran into the following issues when attempting to verify
Cygwin's setup.exe using each of those methods:

Problem with Method 1)

setup.exe doesn't have a windows digital signature.
Windows doesn't even recognize setup.exe as a win32 executable (try
right clicking and viewing the properties... notice you can't even see
publisher information and it wants to run it in a DOS virtual
machine).

Problem with Method 2)

Cygwin.com's webserver doesn't support https.=A0 Try connecting to
https://www.cygwin.com/setup.exe

Problem with Method 3)

Yes, you can download http://www.cygwin.com/setup.exe.sig.=A0 However
you won't find mention of that on the website.
Sadly, to check this signature you have to already have gpg.exe
installed.=A0 This of course requires you already have cygwin installed.
 It's a chicken and egg problem.
Also, cygwin's webpages don't discuss where to get the certificate to
use when verifying the signature.

The bottom line is that without any form of easy to use verification,
those attempting to download setup.exe are vulnerable to a
man-in-the-middle attack, where they can be tricked into downloading
and executing a trojan instead.=A0 And this is sad considering the fact
that setup.exe does actually attempt to provide security & checksums
when downloading modules, but all this is for not if setup.exe itself
is not secure.

My recommendation is to make method 1 and method 2 both available.
Meantime, are there any other solutions for validating security that
I'm missing?

Thanks,
Doug

P.S. Yes, I did search the FAQ and mailinglists without success before
sending this post.=A0 There is a lot to search through, so if I missed
the answer somewhere, please let me know.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/