This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: URGENT: BAD signature from "Cygwin <cygwin at cygwin dot com>"
On 9/28/16, Herbert Stocker wrote:
> Hi,
>
> On 28.09.2016 23:05, Wayne Porter wrote:
>> On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote:
>>> gpg --verify setup-x86.exe.sig setup-x86.exe
>>> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID
>>> 676041BA
>>> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg: There is no indication that the signature belongs to the
>>> owner.
>>> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760
>>> 41BA
>>
>> This appears to be a good signature, just that the key is untrusted.
>> Someone
>> else correct me if I'm wrong, but that is typical to see, at least for
>> me.
>
> But doesn't it mean that anybody who manages to hack into your web
> server, or who does a man in the middle attack on the HTTP (without S)
> connection, is able to replace the setup-x86.exe by a malicious one
> and to also provide a corresponding setup-x86.exe.sig, so that the gpg
> output will be "good signature but untrusted key"?
Only if you don't already have a cygwin@cygwin.com key saved:
if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ]
then
gpg --import ${DESTINATION}/pubring.asc
fi
altho checking for exactly one instance instead of an instance seems doubtful.
On the other hand, I didn't even know setupXXX.exe was signed so I
haven't been checking at all :(
It'd be nice if someone could add a signature + public key link on the
front page instead of having to click thru the "fresh install" or
"update" link to find out there's signatures available.
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple