Hi Jon,

On Dec 12 13:29, Jon Turney wrote:
> As discussed in https://cygwin.com/ml/cygwin/2015-04/msg00133.html
> 
> This is quite straightforward, but unfortunately, requires a non-technical
> problem to be solved to complete.
> 
> 1/ A code signing certificate signed by a CA is required.

Where do we get one which is trusted, can be checked publically,
and doesn't cost any money?

Who will be keymaster and with whom do we share the private key?

> 2/ The signature should be timestamped, so that it remains vaild after the
> signing key expires, but I assume you have to use the timestamp service of
> the CA that signed the key.

Not necessarily.  We can workaround that by getting a new key and
release a new setup.

> +sign:	upx
> +	@if [ -e `which osslsigncode` ]; then \
> +		osslsigncode sign -certs $(srcdir)/cygwin.crt -key $(srcdir)/cygwin.key -n "Cygwin setup" -i https://cygwin.com/ -in setup$(EXEEXT) -out setup-signed$(EXEEXT) ;\
                                         ^^^^^^^^^
                                         $(srcdir)?

This might not be quite right.  We need to store the cert in a reasonable
safe place, certainly not in srcdir (or git).


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat