This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Should cygwin's setup*.exe be signed using Sign Tool?
- From: "David A. Wheeler" <dwheeler at dwheeler dot com>
- To: "cygwin" <cygwin at cygwin dot com>
- Date: Thu, 02 Apr 2015 23:17:17 -0400 (EDT)
- Subject: Re: Should cygwin's setup*.exe be signed using Sign Tool?
- Authentication-results: sourceware.org; auth=none
- Reply-to: dwheeler at dwheeler dot com
David A. Wheeler inquired:
> > Has Cygwin considered signing the installer using Sign Tool? More info:
On Fri, 3 Apr 2015 01:22:15 +0300, Andrey Repin <anrdaemon@yandex.ru> wrote:
> Did Microsoft made it available separately? Or is there a description of the
> structure of such a signature and/or a free tool that can be used to generate it?
Microsoft makes signtool available as part of its SDK at no charge (gratis, not libre):
https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx
This page points to some alternatives:
http://stackoverflow.com/questions/18211594/windows-code-signing-process-alternative-to-ms-signtool-exe
They note that Mono includes "signcode", and it's libre (as well gratis). Instructions here:
https://developer.mozilla.org/en-US/docs/Signing_an_executable_with_Authenticode
> Last I checked, you have to install a metric ton of garbage to get signtool as
> a bonus.
It seems to be a short ton. The default installs a lot, but you can deselect much.
It's not tiny due to dependencies, but it's not *everything*.
Also, you *only* have to install it on the system that does the signing;
no other system needs it. It's good to have a separate signing system anyway.
> People who don't check signature manually, won't check the credibility of
> the embedded signature either.
> And it only takes about thirty seconds to fake the lines that are visible in
> prompt dialogue.
Clearly this is limited. But these signatures are automatically checked by Windows, and
the publisher is displayed for review before acceptance, which raises the bar a little.
The number of people who check the signatures on setup*.exe is probably pretty small;
I'm hoping to raise the safety bar for everyone else.
There's also an appearance factor: running an unsigned app looks scarier
(there's a warning "The publisher could not be verified...", possibly followed by a User Account
warning again noting the 'unknown' publisher). Having a signature may
make users and their admins more confident that it's okay to use Cygwin.
--- David A. Wheeler
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple