From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-return-172202-listarch-cygwin=sourceware.org@cygwin.com>
Received: (qmail 10490 invoked by alias); 22 Aug 2011 17:38:04 -0000
Received: (qmail 10191 invoked by uid 22791); 22 Aug 2011 17:38:02 -0000
X-SWARE-Spam-Status: No, hits=-2.6 required=5.0	tests=BAYES_00,RCVD_IN_DNSWL_LOW
X-Spam-Check-By: sourceware.org
Received: from nfitmail.nfit.au.dk (HELO smtp.nfit.au.dk) (130.225.31.129)    by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Mon, 22 Aug 2011 17:37:48 +0000
Received: from smtp.nfit.au.dk (localhost [127.0.0.1])	by smtp.nfit.au.dk (Postfix) with ESMTP id 34D34571A2;	Mon, 22 Aug 2011 19:37:46 +0200 (CEST)
Received: from zcbsf.22.aug.2011.kasperd.net (daimi-pat.daimi.au.dk [130.225.0.251])	by smtp.nfit.au.dk (Postfix) with SMTP id 92A2F571A1;	Mon, 22 Aug 2011 19:37:45 +0200 (CEST)
Date: Mon, 22 Aug 2011 17:38:00 -0000
From: Kasper Dupont <kasperd@zcbsf.22.aug.2011.kasperd.net>
To: cygwin@cygwin.com
Subject: How do I verify the integrity of the setup.exe binary?
Message-ID: <20110822173743.GA22681@colin.search.kasperd.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Mutt/1.4.2.3i
X-NFIT-ADSL: 0
X-NFIT-RelayAddr: 130.225.0.251
X-NFIT-MX: True
X-Sim: 75700d080329d80e4c0229e1caa12451cf2388635f666e244b0c2d9c72526c6f 965
X-NFIT-Solido-Score: 3.
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
X-SW-Source: 2011-08/txt/msg00436.txt.bz2

I wanted to install Cygwin on one machine, but I got stuck
trying to figure out how to verify the integrity of the
downloaded setup.exe binary.

The documentation points at a signature file and public key
file hosted on the same webserver as setup.exe. Thus those
could be tampered with just as easily as setup.exe itself.

If I knew how to get the public key from a secure source, I
know how to use gpg to validate the signature. I would have
expected the public key to be available over https as well,
but I wasn't able to find it anywhere.

I looked through the FAQ, but this question did not appear
to have been addressed there.

--=20
Kasper Dupont -- Rigtige m=E6nd skriver deres egne backupprogrammer
#define _(_)"d.%.4s%."_"2s" /* This is my email address */
char*_=3D"@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,11,_+2,_+7,_+6=
);

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple