URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

[Thomas Sanders]

FYI, I don't know if this is working as designed (please see the application error below)
wget https://cygwin.com/setup-x86.exe
wget https://cygwin.com/setup-x86.exe.sig  

gpg --verify setup-x86.exe.sig setup-x86.exe                  
gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

When running the app the following error occurs (Windows 7)

This version of C:\Users\tsanders\cygwin_setup-x86.exe is not compatible with th
e version of Windows you're running. Check your computer's system information to
 see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and
 then contact the software publisher.
----
wget https://cygwin.com/setup-x86_64.exe.sig
wget https://cygwin.com/setup-x86_64.exe

gpg --verify setup-x86_64.exe.sig setup-x86_64.exe
gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

 -- 
Thomas Sanders | Sr. Network Systems Administrator
TrellisWare Technologies, Inc.

Office/FAX: 858-753-1654 | Mobile: 619-512-3311


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

[Wayne Porter]

[-- Attachment #1: Type: text/plain, Size: 1150 bytes --]

On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote:
> gpg --verify setup-x86.exe.sig setup-x86.exe                  
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

This appears to be a good signature, just that the key is untrusted. Someone
else correct me if I'm wrong, but that is typical to see, at least for me.

> When running the app the following error occurs (Windows 7)
> 
> This version of C:\Users\tsanders\cygwin_setup-x86.exe is not compatible with th
> e version of Windows you're running. Check your computer's system information to
>  see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and
>  then contact the software publisher.

What is the output of the following from your system:
	echo %PROCESSOR_IDENTIFIER% %PROCESSOR_ARCHITECTURE%



Wayne Porter


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

[Andrey Repin]

Greetings, Thomas Sanders!

> FYI, I don't know if this is working as designed (please see the application error below)
> wget https://cygwin.com/setup-x86.exe
> wget https://cygwin.com/setup-x86.exe.sig  

> gpg --verify setup-x86.exe.sig setup-x86.exe                  
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
-------^^^^^^^^^^^^^^
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

> When running the app the following error occurs (Windows 7)

> This version of C:\Users\tsanders\cygwin_setup-x86.exe is not compatible with th
> e version of Windows you're running. Check your computer's system information to
>  see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and
>  then contact the software publisher.

Likely cause is your AV software blocking the file.
Try saving it with -O innocent_name.exe

> ----
> wget https://cygwin.com/setup-x86_64.exe.sig
> wget https://cygwin.com/setup-x86_64.exe

> gpg --verify setup-x86_64.exe.sig setup-x86_64.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
-------^^^^^^^^^^^^^^
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

Did you copy-pasted wrong console output or what?


-- 
With best regards,
Andrey Repin
Thursday, September 29, 2016 00:12:02

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

RE: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

[Thomas Sanders]

Thanks for the reply, here is the actual script. I must have copy/pasted the wrong info previously.
###
  wget -q http://cygwin.com/setup-x86.exe        -O ${DESTINATION}/setup-x86.exe
  wget -q http://cygwin.com/setup-x86.exe.sig    -O ${DESTINATION}/setup-x86.exe.sig
  wget -q http://cygwin.com/setup-x86_64.exe     -O ${DESTINATION}/setup-x86_64.exe
  wget -q http://cygwin.com/setup-x86_64.exe.sig -O ${DESTINATION}/setup-x86_64.exe.sig
  wget -q http://cygwin.com/key/pubring.asc      -O ${DESTINATION}/pubring.asc
  
  if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ]
  then 
    gpg --import ${DESTINATION}/pubring.asc      
  fi

  echo "testing ${DESTINATION}/setup-x86.exe"
  gpg --verify ${DESTINATION}/setup-x86.exe.sig ${DESTINATION}/setup-x86.exe
  if [ ${?} -gt 0 ]
  then
    mv ${DESTINATION}/setup-x86.exe ${DESTINATION}/setup-x86.exe.DONT_USE-BAD_SIGNATURE
  fi

  echo "testing ${DESTINATION}/setup-x86_64.exe"
  gpg --verify ${DESTINATION}/setup-x86_64.exe.sig ${DESTINATION}/setup-x86_64.exe
  if [ ${?} -gt 0 ]
  then 
    mv ${DESTINATION}/setup-x86_64.exe ${DESTINATION}/setup-x86_64.exe.DONT_USE-BAD_SIGNATURE
  fi ###
Here is the output:
testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe
gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
gpg: BAD signature from "Cygwin <cygwin@cygwin.com>"

testing /tftpboot/PXE/mirrors/cygwin//setup-x86_64.exe
gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

 -- 
Thomas Sanders | Sr. Network Systems Administrator
TrellisWare Technologies, Inc.

Office/FAX: 858-753-1654 | Mobile: 619-512-3311


-----Original Message-----
From: Andrey Repin [mailto:anrdaemon@yandex.ru] 
Sent: Wednesday, September 28, 2016 2:14 PM
To: Thomas Sanders; cygwin@cygwin.com
Subject: Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

Greetings, Thomas Sanders!

> FYI, I don't know if this is working as designed (please see the 
> application error below) wget https://cygwin.com/setup-x86.exe wget 
> https://cygwin.com/setup-x86.exe.sig

> gpg --verify setup-x86.exe.sig setup-x86.exe                  
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 
> 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
-------^^^^^^^^^^^^^^
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 
> 41BA

> When running the app the following error occurs (Windows 7)

> This version of C:\Users\tsanders\cygwin_setup-x86.exe is not 
> compatible with th e version of Windows you're running. Check your 
> computer's system information to  see whether you need a x86 (32-bit) 
> or x64 (64-bit) version of the program, and  then contact the software publisher.

Likely cause is your AV software blocking the file.
Try saving it with -O innocent_name.exe

> ----
> wget https://cygwin.com/setup-x86_64.exe.sig
> wget https://cygwin.com/setup-x86_64.exe

> gpg --verify setup-x86_64.exe.sig setup-x86_64.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 
> 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
-------^^^^^^^^^^^^^^
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 
> 41BA

Did you copy-pasted wrong console output or what?


--
With best regards,
Andrey Repin
Thursday, September 29, 2016 00:12:02

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

[Herbert Stocker]

Hi,

On 28.09.2016 23:05, Wayne Porter wrote:
> On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote:
>> gpg --verify setup-x86.exe.sig setup-x86.exe
>> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
>> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:          There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA
>
> This appears to be a good signature, just that the key is untrusted. Someone
> else correct me if I'm wrong, but that is typical to see, at least for me.

But doesn't it mean that anybody who manages to hack into your web
server, or who does a man in the middle attack on the HTTP (without S)
connection, is able to replace the setup-x86.exe by a malicious one
and to also provide a corresponding setup-x86.exe.sig, so that the gpg
output will be "good signature but untrusted key"?

my 2 cents.

Herbert


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

[Brian Inglis]

On 2016-09-28 16:58, Thomas Sanders wrote:
> ###
>   wget -q http://cygwin.com/setup-x86.exe        -O ${DESTINATION}/setup-x86.exe
>   wget -q http://cygwin.com/setup-x86.exe.sig    -O ${DESTINATION}/setup-x86.exe.sig
>   wget -q http://cygwin.com/setup-x86_64.exe     -O ${DESTINATION}/setup-x86_64.exe
>   wget -q http://cygwin.com/setup-x86_64.exe.sig -O ${DESTINATION}/setup-x86_64.exe.sig
>   wget -q http://cygwin.com/key/pubring.asc      -O ${DESTINATION}/pubring.asc
>
>   if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ]
>   then
>     gpg --import ${DESTINATION}/pubring.asc
>   fi
>
>   echo "testing ${DESTINATION}/setup-x86.exe"
>   gpg --verify ${DESTINATION}/setup-x86.exe.sig ${DESTINATION}/setup-x86.exe
>   if [ ${?} -gt 0 ]
>   then
>     mv ${DESTINATION}/setup-x86.exe ${DESTINATION}/setup-x86.exe.DONT_USE-BAD_SIGNATURE
>   fi
>
>   echo "testing ${DESTINATION}/setup-x86_64.exe"
>   gpg --verify ${DESTINATION}/setup-x86_64.exe.sig ${DESTINATION}/setup-x86_64.exe
>   if [ ${?} -gt 0 ]
>   then
>     mv ${DESTINATION}/setup-x86_64.exe ${DESTINATION}/setup-x86_64.exe.DONT_USE-BAD_SIGNATURE
>   fi ###
> Here is the output:
> testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
> gpg: BAD signature from "Cygwin <cygwin@cygwin.com>"
>
> testing /tftpboot/PXE/mirrors/cygwin//setup-x86_64.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

IIRC to suppress BAD and WARNING (it's been a while since I did this)
you install gnupg package, then generate your own key:
[following edited to obscure local details; I edited the details using
the example provided in gpg; skip this step if you have already done it
with your own details]

$ gpg --gen-key
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `~/.gnupg' created
gpg: new configuration file `~/.gnupg/gpg.conf' created
gpg: WARNING: options in `~/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `~/.gnupg/secring.gpg' created
gpg: keyring `~/.gnupg/pubring.gpg' created

Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
          0 = key does not expire
       <n>  = key expires in n days
       <n>w = key expires in n weeks
       <n>m = key expires in n months
       <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Fri 28 Sep 2018 09:17:14 PM GMT
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
     "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Heinrich Heine
Email address: heinrichh@duesseldorf.de
Comment: Der Dichter
You selected this USER-ID:
     "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

[*open another terminal and run "find / >& /dev/null &"; then do a Windows
File Explorer search for e; browse the web and wave the mouse around;
type junk into other windows; until the following messages stop appearing:
may take a few minutes unless your system is running background work*]

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 264 more bytes)
............+++++
....+++++

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 86 more bytes)
.....+++++

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 128 more bytes)
............+++++

gpg: ~/.gnupg/trustdb.gpg: trustdb created
gpg: key FFFFFFFF marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2018-09-29
pub   2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]
       Key fingerprint = FFFF FFFF FFFF FFFF FFFF  FFFF FFFF FFFF FFFF FFFF
uid                  Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>
sub   2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]

$ gpg --list-keys
~/.gnupg/pubring.gpg
----------------------------
pub   2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]
uid                  Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>
sub   2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]

$

Only then can you add the Cygwin key to your key ring:

$ gpg --keyserver keys.gnupg.net --recv-keys 676041BA

then make it good by running:

$ gpg --keyserver keys.gnupg.net --edit-key 676041BA
gpg (GnuPG) 1.4.21; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  1024D/676041BA  created: 2008-06-13  expires: never       usage: SC
sub  1024g/A1DB7B5C  created: 2008-06-13  expires: never       usage: E (1). Cygwin <cygwin@cygwin.com>

gpg> trust
pub  1024D/676041BA  created: 2008-06-13  expires: never       usage: SC
sub  1024g/A1DB7B5C  created: 2008-06-13  expires: never       usage: E (1). Cygwin <cygwin@cygwin.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

   1 = I don't know or won't say
   2 = I do NOT trust
   3 = I trust marginally
   4 = I trust fully
   5 = I trust ultimately
   m = back to the main menu

Your decision? 5 [or maybe 4?]

gpg> q

$

Now your gpg --verify should succeed with a good key.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

[Lee]

On 9/28/16, Herbert Stocker wrote:
> Hi,
>
> On 28.09.2016 23:05, Wayne Porter wrote:
>> On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote:
>>> gpg --verify setup-x86.exe.sig setup-x86.exe
>>> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID
>>> 676041BA
>>> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg:          There is no indication that the signature belongs to the
>>> owner.
>>> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760
>>> 41BA
>>
>> This appears to be a good signature, just that the key is untrusted.
>> Someone
>> else correct me if I'm wrong, but that is typical to see, at least for
>> me.
>
> But doesn't it mean that anybody who manages to hack into your web
> server, or who does a man in the middle attack on the HTTP (without S)
> connection, is able to replace the setup-x86.exe by a malicious one
> and to also provide a corresponding setup-x86.exe.sig, so that the gpg
> output will be "good signature but untrusted key"?

Only if you don't already have a cygwin@cygwin.com key saved:
  if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ]
  then
    gpg --import ${DESTINATION}/pubring.asc
  fi

altho checking for exactly one instance instead of an instance seems doubtful.

On the other hand, I didn't even know setupXXX.exe was signed so I
haven't been checking at all :(

It'd be nice if someone could add a signature + public key link on the
front page instead of having to click thru the "fresh install" or
"update" link to find out there's signatures available.

Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"

[Achim Gratz]

Thomas Sanders writes:
> Thanks for the reply, here is the actual script. I must have copy/pasted the wrong info previously.
> ###
>   wget -q http://cygwin.com/setup-x86.exe        -O ${DESTINATION}/setup-x86.exe
>   wget -q http://cygwin.com/setup-x86.exe.sig    -O ${DESTINATION}/setup-x86.exe.sig
>   wget -q http://cygwin.com/setup-x86_64.exe     -O ${DESTINATION}/setup-x86_64.exe
>   wget -q http://cygwin.com/setup-x86_64.exe.sig -O ${DESTINATION}/setup-x86_64.exe.sig
>   wget -q http://cygwin.com/key/pubring.asc      -O ${DESTINATION}/pubring.asc

For checking the signatures to be of any real use, you'd need to use
https at least.  Also, you'd need to establish the provenance of the key
independently.

> testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
> gpg: BAD signature from "Cygwin <cygwin@cygwin.com>"

BLODA, most likely.  Particularly some stupid heuristic scanner that
thinks that UPX compressed binaries are dangerous just because they use
compression.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Terratec KOMPLEXER:
http://Synth.Stromeko.net/Downloads.html#KomplexerWaves

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple