This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Should cygwin's setup*.exe be signed using Sign Tool?

From: "David A. Wheeler" <dwheeler at dwheeler dot com>
To: "cygwin" <cygwin at cygwin dot com>
Date: Thu, 02 Apr 2015 23:17:17 -0400 (EDT)
Subject: Re: Should cygwin's setup*.exe be signed using Sign Tool?
Authentication-results: sourceware.org; auth=none
Reply-to: dwheeler at dwheeler dot com

David A. Wheeler inquired:
> > Has Cygwin considered signing the installer using Sign Tool? More info:

On Fri, 3 Apr 2015 01:22:15 +0300, Andrey Repin <anrdaemon@yandex.ru> wrote:
> Did Microsoft made it available separately? Or is there a description of the
> structure of such a signature and/or a free tool that can be used to generate it?

Microsoft makes signtool available as part of its SDK at no charge (gratis, not libre):
  https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx

This page points to some alternatives:
  http://stackoverflow.com/questions/18211594/windows-code-signing-process-alternative-to-ms-signtool-exe
They note that Mono includes "signcode", and it's libre (as well gratis).  Instructions here:
  https://developer.mozilla.org/en-US/docs/Signing_an_executable_with_Authenticode

> Last I checked, you have to install a metric ton of garbage to get signtool as
> a bonus.

It seems to be a short ton.  The default installs a lot, but you can deselect much.
It's not tiny due to dependencies, but it's not *everything*.

Also, you *only* have to install it on the system that does the signing;
no other system needs it.  It's good to have a separate signing system anyway.

> People who don't check signature manually, won't check the credibility of
> the embedded signature either.
> And it only takes about thirty seconds to fake the lines that are visible in
> prompt dialogue.

Clearly this is limited.  But these signatures are automatically checked by Windows, and
the publisher is displayed for review before acceptance, which raises the bar a little.
The number of people who check the signatures on setup*.exe is probably pretty small;
I'm hoping to raise the safety bar for everyone else.

There's also an appearance factor: running an unsigned app looks scarier
(there's a warning "The publisher could not be verified...", possibly followed by a User Account
warning again noting the 'unknown' publisher).  Having a signature may
make users and their admins more confident that it's okay to use Cygwin.

--- David A. Wheeler

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

References:
- Re: Should cygwin's setup*.exe be signed using Sign Tool?
  - From: Andrey Repin

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]