On Dec 13 19:33, Achim Gratz wrote:
> Corinna Vinschen writes:
> >> That wouldn't do any good for folks trying to use an old setup version
> >> or am I missing something?
> >
> > They would get two messages, "Sig has expired" and "there's a new version
> > of setup".  Isn't that sufficient?
> 
> I was under the (maybe mistaken) impression that the executable would
> stop running if the signature was deemed incorrect.
> 
> >> In the meantime, we could provide a detached signature with the cygwin
> >> key, just like we do for setup.ini?
> >
> > We already do.  You can download setup-x86.exe.sig and
> > setup-x86_64.exe.sig from https://cygwin.com/
> 
> It's not advertised in an easily accessible place (i.e. right besides
> the download link on cygwin.com main page).  The install page shows
> those, but I'm not sure how many people look it up there.

The websites are in git(*).  Just send patches if you see some flaw.


Thanks,
Corinna

(*) https://cygwin.com/git/gitweb.cgi?p=cygwin-htdocs.git

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat