On Dec 12 19:47, Achim Gratz wrote:
> Corinna Vinschen writes:
> >> 2/ The signature should be timestamped, so that it remains vaild after the
> >> signing key expires, but I assume you have to use the timestamp service of
> >> the CA that signed the key.
> >
> > Not necessarily.  We can workaround that by getting a new key and
> > release a new setup.
> 
> That wouldn't do any good for folks trying to use an old setup version
> or am I missing something?

They would get two messages, "Sig has expired" and "there's a new version
of setup".  Isn't that sufficient?


Corinna

> In the meantime, we could provide a detached signature with the cygwin
> key, just like we do for setup.ini?

We already do.  You can download setup-x86.exe.sig and
setup-x86_64.exe.sig from https://cygwin.com/


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat