This is the mail archive of the
mailing list for the Cygwin project.
Updated: Setup.exe updated to version 2.573.2.3
- From: "Dave Korn" <dave dot korn at artimi dot com>
- To: <cygwin-announce at cygwin dot com>
- Date: Tue, 5 Aug 2008 14:30:12 +0100
- Subject: Updated: Setup.exe updated to version 2.573.2.3
- Reply-to: The Cygwin Mailing List <cygwin at cygwin dot com>
I've updated the version of setup.exe at <http://cygwin.com/setup.exe> to
This version incorporates major new security-related features and
a number of bug fixes, as listed below.
No action is required by maintainers of standard Cygwin mirrors, but
maintainers of customised package repositories will need to take action.
Please see the "Custom Mirrors" section below for more information.
This release fixes the security vulnerability CVE-2008-3323 identified by
Derek Callaway of Security Objectives. Derek observed that there
was no protection against either a corrupt mirror or a DNS hijacker or other
MitM feeding a modified setup.ini file to setup.exe and thereby causing it
to download and install a maliciously-modified package tarball.
To verify that users are not fed a malicious setup.ini, we have instituted
GPG signing of setup.ini, setup.bz2, and their -1.7 equivalents on the
Cygwin.com website. Setup.exe now contains a public key, and verifies any
of the setup index files it downloads against that key. If an index file
fails to verify, or no .sig file is present on the mirror, setup.exe refuses
to accept the untrusted index file.
By guaranteeing that setup.exe only accepts genuine index files, we can
guarantee the md5sums in those index files are untampered; as setup.exe
verifies the md5sums of downloaded packages against those indicated in the
setup index file and rejects any that don't match as corrupt downloads,
Cygwin users are protected against a malicious mirror attempting to
manipulate either/and/or/both package tarballs and setup index files.
The public key used in signing these files is appended below; it can be
cut and pasted from this email into "gpg --import" at the command-line. It
can also be used to verify setup.exe itself, which is also signed on
If we, from time to time, need to change this key, we will release a new
version of setup.exe and make announcements on the cygwin and
cygwin-announce mailing lists, and on the cygwin.com website.
Maintainers of standard mirrors of the upstream cygwin.com/sourceware.org
public repository need take no action. There will be no impact from these
changes apart from the presence of the new .sig files alongside the existing
setup.ini/setup.bz2 et. al.
Maintainers of customised repositories will be impacted. Read on for
details and mitigation.
Without taking action, the new version of setup.exe will refuse to install
from your repositories when it fails to find a valid signature for your
customised setup.ini files. There are a number of option open to you and
your users to deal with this situation.
Unfortunately this is only the first release of this feature and currently
requires the use of command-line options to modify the
signature-verification behaviour; we apologise for the pressure of time and
manpower resources that has not allowed us to develop more user-friendly
features initially, and would like to work with package repository
maintainers to improve the usability of future versions of setup.exe for
them and their users. Please direct suggestions for improved mechanisms,
bug-reports, and (especially!) offers of help to the cygwin-apps list.
This list summarizes the main possibilities, in decreasing order of
1) Tell your users that they must retain and use an old version of
setup.exe to access your mirror. This old version will not complain about
the lack of signature files.
2) Tell your users to supply the new -X (--no-verify) command-line flag
when using setup.exe to download from your mirror. This can be added into
the command-line invocation in a Windows shortcut, for convenience.
3) Start signing your custom-generated setup.ini and setup.bz2 files with
gpg, and either
- i) Convert your public key to s-expr format using the script
gpg-key-to-s-expr.sh from the setup.exe sources (requires an installation
of pgpdump), distribute it to your users, and ask them to specify it as
the argument to the -S command-line option (can be done using a shortcut to
- ii) Convert your public key to s-expr format, distribute it to your
users, and tell them either to use the -S option once to load it into the
untrusted keys cache and the -U option subsequently.
- iii) Distribute your public key file to users in binary gpg format, and
tell them to use the -K command-line option to point at it, either every
time, or just initially to load it into the untrusted keys cache, followed
by use of -U on subsequent occasions.
We're aware that this is not entirely convenient, but the security relies
on users to only knowingly accept keys; if we had setup.exe just look for a
key file on the mirror itself, it would no longer protect against a corrupt
mirror. We look forward to working with you to make it more convenient for
both you and your users.
- Signature verification of setup index files.
NEW COMMAND-LINE OPTIONS
-X --no-verify Don't verify setup.ini signatures
-K --pubkey Path to extra public key file (gpg
-S --sexpr-pubkey Extra public key in s-expr format
-u --untrusted-keys Use untrusted keys from
-U --keep-untrusted-keys Use untrusted keys and retain all
- Revert to using the original "setup_9x.ini" filename for (no-longer
supported) Win9X installations.
- Fix for potential crash with missing package-cache files.
- Fix for crashes caused by corrupted package listing files.
- Fix for potential double-free crash bug.
 - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3323
 - http://www.security-objectives.com/advisories/SECOBJADV-2008-02.txt
 - http://bugzilla.redhat.com/show_bug.cgi?id=449929
 - http://cygwin.com/setup.exe.sig
 - http://www.mew.org/~kazu/proj/pgpdump/
 - http://www.pgpdump.net/
CYGWIN SETUP SIGNING PUBLIC KEY
This is the public half of the key used to sign Cygwin setup files. It
can be used to verify your initial download of setup.exe from the Cygwin
website; download the .sig file and the .exe to the same directory, and run
gpg --verify setup.exe.sig
from a Bash or other shell command-line. You can import the key to your gpg
keyring by running
and then cutting and pasting the public key block below directly into your
shell, or you can save this message to a text file and run
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
DSA key ID 676041BA
pub 1024D/676041BA 2008-06-13
uid Cygwin <email@example.com>
sub 1024g/A1DB7B5C 2008-06-13
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (Cygwin)
-----END PGP PUBLIC KEY BLOCK-----
Can't think of a witty .sigline today....