X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding
	:in-reply-to; q=dns; s=default; b=FPTCFbHAC/HfSoY7uAhxu6M8Tcthys
	rP6/VoZl6E9vBOG4IJu2/NH6A0om97rJ0TOlGkJ7sslgBzwpjEhj9t9g+eAgDvVW
	uPHopnrYKRt2o8yElN5Jv/A0H0oK0I1E/9IS0IrPIwMNZQ0elkWTUsIgj99I+BeJ
	kxkeTWx/Dso/Y=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding
	:in-reply-to; s=default; bh=r/aBETF5VLyDMF2/zlgDdqkfWoY=; b=TQYW
	l8YgMFdc7vJoJWexnYTmxEXGX2AaEA03d6FQf575vkPUp5mEhpS81gqVdkggHfaC
	xeqRiHNWeXjz6Qe3GFCCVt38BuoOpDbDy8v1lN1ylBOYJNG8eCtNR4D7Y0PcNait
	GQdmS6W9ELtp7HcDonxBWcGLzgzlv8DEosQ4csE=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=2.0 required=5.0 tests=AWL,BAYES_00,FORGED_MUA_MOZILLA autolearn=no version=3.3.1 spammy=announcement, clique, H*r:Unknown, distributing
X-HELO: blaine.gmane.org
To: cygwin AT cygwin DOT com
From: Achim Gratz <Stromeko AT Nexgo DOT DE>
Subject: Re: How to trust setup.exe?
Date: Sat, 27 Apr 2019 11:42:37 +0200
Message-ID: <qa186d$1upe$1@blaine.gmane.org>
References: <CAAr43iMirXR-r=Jmy1S0za8Pz-yS-beOGouydkrScHKETEmiZg AT mail DOT gmail DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
In-Reply-To: <CAAr43iMirXR-r=Jmy1S0za8Pz-yS-beOGouydkrScHKETEmiZg@mail.gmail.com>
X-IsSubscribed: yes

Am 26.04.2019 um 18:28 schrieb Joel Rees:
> When bootstrapping a chain of trust, having multiple sources for the
> checksum values is significantly better than starting blind.

Except that checksums are at best providing evidence of tampering, not 
anchors of trust.

> I'm writing a blogpost on the use of multiple sources, using cygwin as
> an example, but the announcements for the updates of setup_xx.exe do
> not include the checksums.

The root of trust for setup.exe and the whole of the Cygwin installation 
is the GPG key for cygwin AT cygwin DOT com and the integrity of the 
sourceware.org server hosting the original files, not the checksum of 
any of the files.  Those checksum files you are talking about are 
largely an artefact of how the sourceware.org servers are set up and are 
not meant to provide the assurances you seek.

https://cygwin.com/faq.html#faq.setup.install-security

> And the mirrors don't seem to keep
> setup_xx.exe. And the mirrors are all using .bz and .xz compression,
> which many MSWindowsboxes are not able to open without 3rd party help,
> which is a vicious cycle.

The mirrors are, as the name implies, mirrors, so any compression used 
is already there in the (non-public) repo the mirrors are distributing. 
The setup.ini file is also available uncompressed, though, expressedly 
so folks can read it without having to decompress anything.

> The blogpost:
> https://joels-programming-fun.blogspot.com/2019/04/bootstrapping-your-freedom-cygwin-gpg.html

That would need significant reorganization to become useful, IMHO.  But 
again, you're missing the whole point of what the trust anchor really is 
and how to verify it.  And yes, that bootstrapping step (obtaining and 
vetting setup.exe) would have to be done on a different system than the 
one you intend to install on if you are serious about it; although if 
you suspect that someone manipulates your system, then installing a 
clean Cygwin (assuming you succeed at it) onto that isn't really going 
to help matters.

> Would it be impossible to ask someone in the project to put the
> checksums in the announcements for setup?

Are you asking about the possibility of asking?

I'm not involved in releasing new setup.exe versions onto the server, so 
I can't comment on how much extra work it'd be to add the checksums to 
the announcement.

> And what about putting a regular zip compressed setup on the mirrors,
> so we can run certutil to check the checksum of the setup we run when
> we grab our first download, then grab gpg with a somewhat trusted
> system to use when checking the next version of setup that we
> download?

The way things work right now the mirrors don't need to be trusted with 
anything.  Distributing setup.exe over the mirrors would actually open a 
door to manipulation if a user can be tricked or forced into using only 
(one or a clique of) rogue mirror(s).

> It would not be a perfect chain, but without that we have nothing but
> broken links and reverse implications

Perfection is not attainable anyway.

-- 
Achim.

(on the road :-)


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple