public inbox for
help / color / mirror / Atom feed
* [setup - the official Cygwin setup program] branch master, updated. release_2.902-2-gf681d72f
@ 2020-03-12 15:58 Jon TURNEY
  0 siblings, 0 replies; only message in thread
From: Jon TURNEY @ 2020-03-12 15:58 UTC (permalink / raw)
  To: cygwin-apps-cvs;h=f681d72f73742906af0dda247655ea6da264fb76

commit f681d72f73742906af0dda247655ea6da264fb76
Author: Jon Turney <>
Date:   Sun Mar 1 13:40:21 2020 +0000

    Produce detatched signature for setup executable using new and old keys
    This is slightly fraught: If we don't specify a digest preference, sha1
    will be used with both keys, which we don't want.  Even if we do specify
    a digest preference, sha1 is still used for DSA, and gpg won't verify
    all the signatures, if they don't use the same hash algorithm (See [1]).
    So specify dsa2 as well, to allow sha256 to be used in both signatures.

commit f724f2f38bdc95fd7068d1a183a8229d865d35f2
Author: Jon Turney <>
Date:   Fri Feb 28 18:13:53 2020 +0000

    Run libgcrypt self-tests
    The libgcrypt in Fedora's mingw-libgcrypt package is patched to always
    run self-tests, even if FIPS mode isn't on.
    Ensure self-tests run before we turn on voluble debugging, to avoid even
    more log spam.
    If we're going to run the self-test, we should report if it fails :)

--- | 3 ++-   | 8 +++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ b/
index 4ceeb98d..987909cd 100644
--- a/
+++ b/
@@ -306,10 +306,11 @@ release: upx
+SIGN_KEYS="--enable-dsa2 --personal-digest-preferences=sha256 -u 676041BA -u 1A698DE9E2E56300"
 upload: release
 	scp setup-${VER}.$(ARCH).exe setup-${VER}.$(ARCH).dbg ${UPLOAD_HOST}:${UPLOAD_PATH}
-	ssh ${UPLOAD_HOST} gpg --detach-sign ${UPLOAD_PATH}/setup-${VER}.$(ARCH).exe
+	ssh ${UPLOAD_HOST} gpg ${SIGN_KEYS} --detach-sign ${UPLOAD_PATH}/setup-${VER}.$(ARCH).exe
 	rm -f setup*${EXEEXT} setup*.dbg
diff --git a/ b/
index c4814b9e..2e4ba218 100644
--- a/
+++ b/
@@ -676,9 +676,15 @@ verify_ini_file_sig (io_stream *ini_file, io_stream *ini_sig_file, HWND owner)
       gcry_set_log_handler (gcrypt_log_adaptor, NULL);
-      gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1);
       gcry_check_version (NULL);
+      if ((rv = gcry_control (GCRYCTL_SELFTEST)) != GPG_ERR_NO_ERROR)
+        ERRKIND (owner, IDS_CRYPTO_ERROR, rv, "libgcrypt selftest failed");
+      gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1);
       gcrypt_init = true;

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2020-03-12 15:58 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-12 15:58 [setup - the official Cygwin setup program] branch master, updated. release_2.902-2-gf681d72f Jon TURNEY

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).