From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 87757 invoked by alias); 12 Dec 2016 17:31:13 -0000 Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm Precedence: bulk Sender: cygwin-apps-owner@cygwin.com List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Mail-Followup-To: cygwin-apps@cygwin.com Received: (qmail 87647 invoked by uid 89); 12 Dec 2016 17:31:06 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-99.2 required=5.0 tests=AWL,BAYES_50,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=expires, APPLY, 201504, @if X-HELO: drew.franken.de Received: from mail-n.franken.de (HELO drew.franken.de) (193.175.24.27) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 12 Dec 2016 17:30:56 +0000 Received: from aqua.hirmke.de (aquarius.franken.de [193.175.24.89]) (Authenticated sender: aquarius) by mail-n.franken.de (Postfix) with ESMTPSA id 679A6721E281A for ; Mon, 12 Dec 2016 18:30:53 +0100 (CET) Received: from calimero.vinschen.de (calimero.vinschen.de [192.168.129.6]) by aqua.hirmke.de (Postfix) with ESMTP id EEB2A5E0091 for ; Mon, 12 Dec 2016 18:30:51 +0100 (CET) Received: by calimero.vinschen.de (Postfix, from userid 500) id D5E41A803CB; Mon, 12 Dec 2016 18:30:51 +0100 (CET) Date: Mon, 12 Dec 2016 17:31:00 -0000 From: Corinna Vinschen To: cygwin-apps@cygwin.com Subject: Re: [PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY) Message-ID: <20161212173051.GD3705@calimero.vinschen.de> Reply-To: cygwin-apps@cygwin.com Mail-Followup-To: cygwin-apps@cygwin.com References: <20161212132929.58904-1-jon.turney@dronecode.org.uk> <20161212132929.58904-5-jon.turney@dronecode.org.uk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="IrhDeMKUP4DT/M7F" Content-Disposition: inline In-Reply-To: <20161212132929.58904-5-jon.turney@dronecode.org.uk> User-Agent: Mutt/1.7.1 (2016-10-04) X-SW-Source: 2016-12/txt/msg00018.txt.bz2 --IrhDeMKUP4DT/M7F Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 1347 Hi Jon, On Dec 12 13:29, Jon Turney wrote: > As discussed in https://cygwin.com/ml/cygwin/2015-04/msg00133.html >=20 > This is quite straightforward, but unfortunately, requires a non-technical > problem to be solved to complete. >=20 > 1/ A code signing certificate signed by a CA is required. Where do we get one which is trusted, can be checked publically, and doesn't cost any money? Who will be keymaster and with whom do we share the private key? > 2/ The signature should be timestamped, so that it remains vaild after the > signing key expires, but I assume you have to use the timestamp service of > the CA that signed the key. Not necessarily. We can workaround that by getting a new key and release a new setup. > +sign: upx > + @if [ -e `which osslsigncode` ]; then \ > + osslsigncode sign -certs $(srcdir)/cygwin.crt -key $(srcdir)/cygwin.ke= y -n "Cygwin setup" -i https://cygwin.com/ -in setup$(EXEEXT) -out setup-si= gned$(EXEEXT) ;\ ^^^^^^^^^ $(srcdir)? This might not be quite right. We need to store the cert in a reasonable safe place, certainly not in srcdir (or git). Thanks, Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --IrhDeMKUP4DT/M7F Content-Type: application/pgp-signature; name="signature.asc" Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJYTt7LAAoJEPU2Bp2uRE+gC4UP/jctQUskTlubc61LHzzMubIo P1GL9ew5yV1sl+YQmUml260+m9C7CumtSJ7lhwXe+rFPj/PC9vioMj8+0uVB9y3/ TLthoGPtGodFyX+7k5HZNtcAiXPovJmWDXbpzc8/QPqDJAS8OvQAOPEMUYYJ9EuM /k/o1uCraiShTTL6MZDWvUgLHfJbmbdlf1iKPh22KnQf8TJH0lGvGE/rZaD/PsxB Vri2MtExhb2ydNjnTHF+Gl0W7L46uuqV5Tf6CNSkPZEVJ7fTgEOxQASdQPN4R3zA +4cqPqs02Fm/fAtlv+8JVBM0DdTvKkqE9TNaoo/EY7taYebEuimNLX5VMLFbw/QZ 58FFsjLS+mkmUKX3h9lyNXTH7Wi5I68KvpK+KsEddz9hhsbekHNGkj/2eaEur4Qe mE6nN4BxG8ba6AkDHjjQ63lmN73cxzsEDny/SgdTZhm07b1IbHcsmF6lQSnTnI4m wvgY5MVshWtNAytV0tpP62+rLvI39zqEG7HidznFv1Y5Xxko7jHJmfUnWFQ7Cb/a GM1UkLDfbJtHo7LrQR4hpg9bwUCumIXr2v7WjM/kI/wUT6CD/BoKVo2bI7K3sTyc QJI1e7pGWUYHk6Ojxk4qICFy53bTGUdVWZWzu9GAbHrC4DDAHV6ppo/3ej2VdLFg is9JzNWt4BsqUwgeUeSq =PTE8 -----END PGP SIGNATURE----- --IrhDeMKUP4DT/M7F--