X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.5 required=5.0 	tests=AWL,BAYES_00,EXECUTABLE_URI,SPF_PASS
X-Spam-Check-By: sourceware.org
Message-ID: <4AA8D0D8.8090902@gmail.com>
Date: Thu, 10 Sep 2009 11:11:36 +0100
From: Dave Korn <dave DOT korn DOT cygwin AT googlemail DOT com>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: setup.exe hijacked?
References: <7515D3C005374AED9E2BCFDA491CCF2F AT st DOT com>
In-Reply-To: <7515D3C005374AED9E2BCFDA491CCF2F@st.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Michael PARKER wrote:
> I've just tried downloading setup.exe from www.cygwin.com, only to find that it crashes when run on my WinXP x64 desktop. 
> 
> Verifying against the setup.exe.sig signature I see the following:
> 
>> gpg --verify setup.exe.sig setup.exe
> gpg: WARNING: using insecure memory!
> gpg: please see http://www.gnupg.org/faq.html for more information
> gpg: Signature made Tue Jun 16 03:50:01 2009 GMTDT using DSA key ID 676041BA
> gpg: BAD signature from "Cygwin <cygwin AT cygwin DOT com>
> 
> Running a diff on the "strings" output of the new file vs. a "known good" version of setup.exe, I see (amongst garbage) the following:

> Any thoughts?

  I can't reproduce this locally:

> $ wget http://cygwin.com/setup.exe
> --2009-09-10 11:09:45--  http://cygwin.com/setup.exe
> Resolving cygwin.com... 209.132.176.174
> Connecting to cygwin.com|209.132.176.174|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 585728 (572K) [application/octet-stream]
> Saving to: `setup.exe'
> 
> 100%[======================================>] 585,728      121K/s   in 5.2s
> 
> 2009-09-10 11:09:51 (110 KB/s) - `setup.exe' saved [585728/585728]
> 
> 
> admin AT ubik /tmp
> $ wget http://cygwin.com/setup.exe.sig
> --2009-09-10 11:09:51--  http://cygwin.com/setup.exe.sig
> Resolving cygwin.com... 209.132.176.174
> Connecting to cygwin.com|209.132.176.174|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 65 [application/octet-stream]
> Saving to: `setup.exe.sig'
> 
> 100%[======================================>] 65          --.-K/s   in 0s
> 
> 2009-09-10 11:09:51 (1.30 MB/s) - `setup.exe.sig' saved [65/65]
> 
> 
> admin AT ubik /tmp
> $ gpg --verify setup.exe.sig
> gpg: WARNING: using insecure memory!
> gpg: please see http://www.gnupg.org/faq.html for more information
> gpg: Signature made Tue Jun 16 03:50:01 2009 GMTDT using DSA key ID 676041BA
> gpg: Good signature from "Cygwin <cygwin AT cygwin DOT com>"
> 
> admin AT ubik /tmp
> $

  How did you download it?  I would suspect your browser is hijacked; try wget.

    cheers,
      DaveK


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple