setup 2.902 release candidate - please test

setup 2.902 release candidate - please test

[Jon Turney]

A new setup release candidate is available at:

   https://cygwin.com/setup/setup-2.902.x86_64.exe (64 bit version)
   https://cygwin.com/setup/setup-2.902.x86.exe    (32 bit version)

Please test, and report any problems here.

Changes compared to 2.901:

- Can now verify (using a public key provided with the --pubkey option) 
signatures made:

* using an RSA key

* using a DSA key with an alternate hash algorithm (e.g. 'gpg 
--enable-dsa2 --personal-digest-preferences=sha256' with a 1024D key)

* using multiple keys (i.e. the .sig file contains multiple signatures), 
where a signature from a known key is not the first one appearing.

- Embeds a new Cygwin public key (which nothing is actually signed with yet)

* The '--disable-old-keys' option disables use of the current Cygwin 
signing key.

- When run with the '--no-admin' option, restore output appearing in a 
Cygwin terminal (when using Cygwin 3.1.0 or later)

- Various code cleanups

Re: setup 2.902 release candidate - please test

[Jon Turney]

On 28/02/2020 17:45, Jon Turney wrote:
> 
> A new setup release candidate is available at:
> 
>    https://cygwin.com/setup/setup-2.902.x86_64.exe (64 bit version)
>    https://cygwin.com/setup/setup-2.902.x86.exe    (32 bit version)
> 
[...]
> 
> * using multiple keys (i.e. the .sig file contains multiple signatures), 
> where a signature from a known key is not the first one appearing.
> 
> - Embeds a new Cygwin public key (which nothing is actually signed with 
> yet)

setup.ini is now being signed with both old and new Cygwin keys.

> * The '--disable-old-keys' option disables use of the current Cygwin 
> signing key.

... so it's now possible to successfully run setup, even when using this 
option.

(as setup will ignore the first signature (made with the old key) and 
verify the next signature made with the new key)

... and hopefully existing setup keeps on working as well :)

Re: setup 2.902 release candidate - please test

[ASSI]

Jon Turney writes:
>> - Embeds a new Cygwin public key (which nothing is actually signed
>> with yet)
>
> setup.ini is now being signed with both old and new Cygwin keys.

As I have my own mirror script that will then combine any local packages
into one targeted install hierarchy and I _do_ check the signatures
(that has saved me from broken mirrors a few times), I've had to go and
import the new keys, which then gives me:

... mirroring
 ==>    /mnt/mirror/cygwin/x86/setup.xz.sig
 ==>    /mnt/mirror/cygwin/x86/setup.xz    
Waiting for 2 transfers to finish 2 1      
        ...all transfers finished!
gpg: Signature made Sa, 14. Mrz 2020 11:53:57 CET
gpg:                using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [unknown]           
gpg: Signature made Sa, 14. Mrz 2020 11:53:57 CET                         
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [unknown]           

So external signature checks actually work exactly as intended, thanks.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf rackAttack:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds