This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: URGENT: BAD signature from "Cygwin <cygwin at cygwin dot com>"


On 2016-09-28 16:58, Thomas Sanders wrote:
###
  wget -q http://cygwin.com/setup-x86.exe        -O ${DESTINATION}/setup-x86.exe
  wget -q http://cygwin.com/setup-x86.exe.sig    -O ${DESTINATION}/setup-x86.exe.sig
  wget -q http://cygwin.com/setup-x86_64.exe     -O ${DESTINATION}/setup-x86_64.exe
  wget -q http://cygwin.com/setup-x86_64.exe.sig -O ${DESTINATION}/setup-x86_64.exe.sig
  wget -q http://cygwin.com/key/pubring.asc      -O ${DESTINATION}/pubring.asc

  if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ]
  then
    gpg --import ${DESTINATION}/pubring.asc
  fi

  echo "testing ${DESTINATION}/setup-x86.exe"
  gpg --verify ${DESTINATION}/setup-x86.exe.sig ${DESTINATION}/setup-x86.exe
  if [ ${?} -gt 0 ]
  then
    mv ${DESTINATION}/setup-x86.exe ${DESTINATION}/setup-x86.exe.DONT_USE-BAD_SIGNATURE
  fi

  echo "testing ${DESTINATION}/setup-x86_64.exe"
  gpg --verify ${DESTINATION}/setup-x86_64.exe.sig ${DESTINATION}/setup-x86_64.exe
  if [ ${?} -gt 0 ]
  then
    mv ${DESTINATION}/setup-x86_64.exe ${DESTINATION}/setup-x86_64.exe.DONT_USE-BAD_SIGNATURE
  fi ###
Here is the output:
testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe
gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
gpg: BAD signature from "Cygwin <cygwin@cygwin.com>"

testing /tftpboot/PXE/mirrors/cygwin//setup-x86_64.exe
gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

IIRC to suppress BAD and WARNING (it's been a while since I did this)
you install gnupg package, then generate your own key:
[following edited to obscure local details; I edited the details using
the example provided in gpg; skip this step if you have already done it
with your own details]

$ gpg --gen-key
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `~/.gnupg' created
gpg: new configuration file `~/.gnupg/gpg.conf' created
gpg: WARNING: options in `~/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `~/.gnupg/secring.gpg' created
gpg: keyring `~/.gnupg/pubring.gpg' created

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Fri 28 Sep 2018 09:17:14 PM GMT
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Heinrich Heine
Email address: heinrichh@duesseldorf.de
Comment: Der Dichter
You selected this USER-ID:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

[*open another terminal and run "find / >& /dev/null &"; then do a Windows
File Explorer search for e; browse the web and wave the mouse around;
type junk into other windows; until the following messages stop appearing:
may take a few minutes unless your system is running background work*]

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 264 more bytes)
............+++++
....+++++

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 86 more bytes)
.....+++++

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 128 more bytes)
............+++++

gpg: ~/.gnupg/trustdb.gpg: trustdb created
gpg: key FFFFFFFF marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2018-09-29
pub   2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]
      Key fingerprint = FFFF FFFF FFFF FFFF FFFF  FFFF FFFF FFFF FFFF FFFF
uid                  Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>
sub   2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]

$ gpg --list-keys
~/.gnupg/pubring.gpg
----------------------------
pub   2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]
uid                  Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>
sub   2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]

$

Only then can you add the Cygwin key to your key ring:

$ gpg --keyserver keys.gnupg.net --recv-keys 676041BA

then make it good by running:

$ gpg --keyserver keys.gnupg.net --edit-key 676041BA
gpg (GnuPG) 1.4.21; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  1024D/676041BA  created: 2008-06-13  expires: never       usage: SC
sub  1024g/A1DB7B5C  created: 2008-06-13  expires: never       usage: E (1). Cygwin <cygwin@cygwin.com>

gpg> trust
pub  1024D/676041BA  created: 2008-06-13  expires: never       usage: SC
sub  1024g/A1DB7B5C  created: 2008-06-13  expires: never       usage: E (1). Cygwin <cygwin@cygwin.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5 [or maybe 4?]

gpg> q

$

Now your gpg --verify should succeed with a good key.

--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]