X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=IwCviib
	6TDHZwwxWMMBjq1CjIhLkZ0c0aSb0ZdAtPxnIqp68nY2FPkEP6FC6cppQENTqtK6
	X8ILqRG8bdl8ErdzjuK1E6vLu16NtrmQxT5etWtY5XgVFD+ksmHFetAJWYNhJ7y7
	JovNoRwMI1kynYTNKC+6/ao5lvYOm393i5GI=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type; s=default; bh=58IvCOqWKaxqn
	+HhI4QDruTrLKw=; b=gv6vJYcskot70kFBE/W4yzos3jGoPipBJLO3Ry5bfk/+F
	uz+NYYvoXxiX+nR4Fum5FPbzhRtWVkL4BNCapnOxBTtK+u6sd/x3dIMl44D7/MpC
	njHQ9Ec6SrKhKY7jMSVgMHSkFzu4NykWKQWMQrvyTFGlMQ7UpwSxchqcy+JQj4=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.7 required=5.0 tests=AWL,BAYES_20,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=Herbert, Stocker, stocker, H*f:sk:57EC76B
X-HELO: mail-it0-f41.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=1e100.net; s=20130820;        h=x-gm-message-state:mime-version:in-reply-to:references:from:date         :message-id:subject:to;        bh=psI5D/VDaROqIwWzJqWsFUCbol6d09/vSp98umEAdMs=;        b=T9ft1bPRZJz+oaFuDnEtyUURqdYBY9+zv2tbK2ae1xBU2aB6Ae33g3jg7jd5GHAenQ         u+3r+HKWgBDtxYr5rlkvL5l8mU05M0CIZgAhTgtYObFS3D0cV/PV9J/Fa27EgC2vAs7X         PLAIU/hiebx50LLdQKlxixPE68a71L0rqw3C9W/7h413xR6FoS0ebpzElcWp3qVnsPtI         ImJm3Z8fwKW2imR9rzOYGXt+ZIWLrj2ssVlZX1qR8D2jQK7A9moKYA+td93RZBBnjjT4         qnSJeIKIzFAIJmh4A7GwkcHhXzhuYqiOPMN7TrQ0FBsHjMaaYpZycCL0EQ9AGJU2tfgB         J5hg==
X-Gm-Message-State: AA6/9RmTBP4N/M2Nm/cqST11QeG08abC3ndjA/E0Jz8QfpeQvBy1DpBrEnNngyxC3SQ8qfQSjp8cECBwUU8Qig==
X-Received: by 10.36.36.15 with SMTP id f15mr4160814ita.43.1475169866543; Thu, 29 Sep 2016 10:24:26 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <57EC76BB.9050503@gmx.de>
References: <B0BF22335C47694D8CF77683CF7C809C8451E464 AT TWHQ-MAIL1 DOT trellisware DOT com> <20160928210553 DOT GA12532 AT hdmetxxxx33004g DOT AD DOT UCSD DOT EDU> <57EC76BB DOT 9050503 AT gmx DOT de>
From: Lee <ler762 AT gmail DOT com>
Date: Thu, 29 Sep 2016 13:24:25 -0400
Message-ID: <CAD8GWstWDWRxdMvPoEqg12Wrku4Ac=S=_Aq7Z3UZC1FFGBvG7w@mail.gmail.com>
Subject: Re: URGENT: BAD signature from "Cygwin <cygwin AT cygwin DOT com>"
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset=UTF-8
X-IsSubscribed: yes

On 9/28/16, Herbert Stocker wrote:
> Hi,
>
> On 28.09.2016 23:05, Wayne Porter wrote:
>> On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote:
>>> gpg --verify setup-x86.exe.sig setup-x86.exe
>>> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID
>>> 676041BA
>>> gpg: Good signature from "Cygwin <cygwin AT cygwin DOT com>"
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg:          There is no indication that the signature belongs to the
>>> owner.
>>> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760
>>> 41BA
>>
>> This appears to be a good signature, just that the key is untrusted.
>> Someone
>> else correct me if I'm wrong, but that is typical to see, at least for
>> me.
>
> But doesn't it mean that anybody who manages to hack into your web
> server, or who does a man in the middle attack on the HTTP (without S)
> connection, is able to replace the setup-x86.exe by a malicious one
> and to also provide a corresponding setup-x86.exe.sig, so that the gpg
> output will be "good signature but untrusted key"?

Only if you don't already have a cygwin AT cygwin DOT com key saved:
  if [ $(gpg --list-keys | grep -c 'cygwin AT cygwin DOT com') != 1 ]
  then
    gpg --import ${DESTINATION}/pubring.asc
  fi

altho checking for exactly one instance instead of an instance seems doubtful.

On the other hand, I didn't even know setupXXX.exe was signed so I
haven't been checking at all :(

It'd be nice if someone could add a signature + public key link on the
front page instead of having to click thru the "fresh install" or
"update" link to find out there's signatures available.

Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple