DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type; q=dns; s=default; b=UK
	bpDqeFqMPgRTEXfh0ZgyD4P5sCn8gPNvcCceS6xviYoqZYd0Q9GBxKCvqfrNeULj
	7RSvGQhl8wHtUM07QrMoJmlx44vqvNUkaXDO4WPyoskkbRkOOamCOyznLyskb8Sw
	Wp0BvNkVvURWGjBSl9zz81t3OIa3ewMD1UzZf3NQM=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
MIME-Version: 1.0
In-Reply-To: <E1Ydjc5-0000kv-WD@rmm6prod02.runbox.com>
References: <E1Ydjc5-0000kv-WD AT rmm6prod02 DOT runbox DOT com>
Date: Thu, 2 Apr 2015 21:23:16 -0400
Message-ID: <CADi7v6JKmP7Q2Bb9FgR0rjqQ+F1a_Y6nrG=v8x7WcesqKzXP4Q@mail.gmail.com>
Subject: Re: Should cygwin's setup*.exe be signed using Sign Tool?
From: Bryan Berns <bryan DOT berns AT gmail DOT com>
To: dwheeler AT dwheeler DOT com, cygwin AT cygwin DOT com
Content-Type: text/plain; charset=UTF-8

> Has Cygwin considered signing the installer using Sign Tool? More info:
>   https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx
>   http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/
>
> I believe signing it this way would eliminate the "unknown publisher"; it would also protect the many people who don't follow the current signature-checking process.  This would create a strong barrier against code subversion after release.
>
> The signed executable could also be signed using the current process, so you don't need to *eliminate* any capability.  I can't provide a patch to do this, obviously :-).
>
> --- David A. Wheeler

Ultimately, this is probably a Corinna question since I believe she
compiles the setup executable, but I'll provide my general input as an
software developer.

Firstly, the tools to sign an executable are certainly available as
part of the Windows SDK which is freely downloadable -- so no problem
there.   However, we would have to determine which publicly trusted
certificate to use (using a self-signed cert would likely produce the
same message) and is signing the executable the *right* thing to do.
Since the setup executable is responsible for running a whole bunch of
community contributed post-install executables as part of the
installation process, I'm not sure whether it'd be advisable to stamp
a particular individual's name or company's name on the executive
installer (e.g. Red Hat, for example).  If a tainted executable was
uploaded into the package repository and subsequently flagged, the
certificate authority may have to revoke the certificate which is
never good for publicity of the signer.  For most pieces of software,
the maintainer or the maintainers company's can very confidently vouch
for the content of the installation package and executables within it.
In the Cygwin world, this accountability is a little more distributed
between the package maintainers and source code contributors.  That
said, I have the upmost respect for the package maintainers and I've
never had any security problems with the Cygwin packages other than
stupid antivirus false positives and some dirty limericks that got
installed (my HR department didn't like that).

So that's my two cents.  For all I know the *real* reason it's not
signed is "nobody had asked for it".

- Bryan

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple