* URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"
@ 2016-09-28 21:06 Thomas Sanders
2016-09-28 21:11 ` Wayne Porter
2016-09-28 21:20 ` Andrey Repin
0 siblings, 2 replies; 8+ messages in thread
From: Thomas Sanders @ 2016-09-28 21:06 UTC (permalink / raw)
To: cygwin
FYI, I don't know if this is working as designed (please see the application error below)
wget https://cygwin.com/setup-x86.exe
wget https://cygwin.com/setup-x86.exe.sig
gpg --verify setup-x86.exe.sig setup-x86.exe
gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
When running the app the following error occurs (Windows 7)
This version of C:\Users\tsanders\cygwin_setup-x86.exe is not compatible with th
e version of Windows you're running. Check your computer's system information to
see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and
then contact the software publisher.
----
wget https://cygwin.com/setup-x86_64.exe.sig
wget https://cygwin.com/setup-x86_64.exe
gpg --verify setup-x86_64.exe.sig setup-x86_64.exe
gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
--
Thomas Sanders | Sr. Network Systems Administrator
TrellisWare Technologies, Inc.
Office/FAX: 858-753-1654 | Mobile: 619-512-3311
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"
2016-09-28 21:06 URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" Thomas Sanders
@ 2016-09-28 21:11 ` Wayne Porter
2016-09-29 2:29 ` Herbert Stocker
2016-09-28 21:20 ` Andrey Repin
1 sibling, 1 reply; 8+ messages in thread
From: Wayne Porter @ 2016-09-28 21:11 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 1150 bytes --]
On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote:
> gpg --verify setup-x86.exe.sig setup-x86.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
This appears to be a good signature, just that the key is untrusted. Someone
else correct me if I'm wrong, but that is typical to see, at least for me.
> When running the app the following error occurs (Windows 7)
>
> This version of C:\Users\tsanders\cygwin_setup-x86.exe is not compatible with th
> e version of Windows you're running. Check your computer's system information to
> see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and
> then contact the software publisher.
What is the output of the following from your system:
echo %PROCESSOR_IDENTIFIER% %PROCESSOR_ARCHITECTURE%
Wayne Porter
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"
2016-09-28 21:06 URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" Thomas Sanders
2016-09-28 21:11 ` Wayne Porter
@ 2016-09-28 21:20 ` Andrey Repin
2016-09-29 0:05 ` Thomas Sanders
1 sibling, 1 reply; 8+ messages in thread
From: Andrey Repin @ 2016-09-28 21:20 UTC (permalink / raw)
To: Thomas Sanders, cygwin
Greetings, Thomas Sanders!
> FYI, I don't know if this is working as designed (please see the application error below)
> wget https://cygwin.com/setup-x86.exe
> wget https://cygwin.com/setup-x86.exe.sig
> gpg --verify setup-x86.exe.sig setup-x86.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
-------^^^^^^^^^^^^^^
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
> When running the app the following error occurs (Windows 7)
> This version of C:\Users\tsanders\cygwin_setup-x86.exe is not compatible with th
> e version of Windows you're running. Check your computer's system information to
> see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and
> then contact the software publisher.
Likely cause is your AV software blocking the file.
Try saving it with -O innocent_name.exe
> ----
> wget https://cygwin.com/setup-x86_64.exe.sig
> wget https://cygwin.com/setup-x86_64.exe
> gpg --verify setup-x86_64.exe.sig setup-x86_64.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
-------^^^^^^^^^^^^^^
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
Did you copy-pasted wrong console output or what?
--
With best regards,
Andrey Repin
Thursday, September 29, 2016 00:12:02
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"
2016-09-28 21:20 ` Andrey Repin
@ 2016-09-29 0:05 ` Thomas Sanders
2016-09-29 5:40 ` Brian Inglis
2016-09-29 18:41 ` Achim Gratz
0 siblings, 2 replies; 8+ messages in thread
From: Thomas Sanders @ 2016-09-29 0:05 UTC (permalink / raw)
To: cygwin
Thanks for the reply, here is the actual script. I must have copy/pasted the wrong info previously.
###
wget -q http://cygwin.com/setup-x86.exe -O ${DESTINATION}/setup-x86.exe
wget -q http://cygwin.com/setup-x86.exe.sig -O ${DESTINATION}/setup-x86.exe.sig
wget -q http://cygwin.com/setup-x86_64.exe -O ${DESTINATION}/setup-x86_64.exe
wget -q http://cygwin.com/setup-x86_64.exe.sig -O ${DESTINATION}/setup-x86_64.exe.sig
wget -q http://cygwin.com/key/pubring.asc -O ${DESTINATION}/pubring.asc
if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ]
then
gpg --import ${DESTINATION}/pubring.asc
fi
echo "testing ${DESTINATION}/setup-x86.exe"
gpg --verify ${DESTINATION}/setup-x86.exe.sig ${DESTINATION}/setup-x86.exe
if [ ${?} -gt 0 ]
then
mv ${DESTINATION}/setup-x86.exe ${DESTINATION}/setup-x86.exe.DONT_USE-BAD_SIGNATURE
fi
echo "testing ${DESTINATION}/setup-x86_64.exe"
gpg --verify ${DESTINATION}/setup-x86_64.exe.sig ${DESTINATION}/setup-x86_64.exe
if [ ${?} -gt 0 ]
then
mv ${DESTINATION}/setup-x86_64.exe ${DESTINATION}/setup-x86_64.exe.DONT_USE-BAD_SIGNATURE
fi ###
Here is the output:
testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe
gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
gpg: BAD signature from "Cygwin <cygwin@cygwin.com>"
testing /tftpboot/PXE/mirrors/cygwin//setup-x86_64.exe
gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
--
Thomas Sanders | Sr. Network Systems Administrator
TrellisWare Technologies, Inc.
Office/FAX: 858-753-1654 | Mobile: 619-512-3311
-----Original Message-----
From: Andrey Repin [mailto:anrdaemon@yandex.ru]
Sent: Wednesday, September 28, 2016 2:14 PM
To: Thomas Sanders; cygwin@cygwin.com
Subject: Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"
Greetings, Thomas Sanders!
> FYI, I don't know if this is working as designed (please see the
> application error below) wget https://cygwin.com/setup-x86.exe wget
> https://cygwin.com/setup-x86.exe.sig
> gpg --verify setup-x86.exe.sig setup-x86.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID
> 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
-------^^^^^^^^^^^^^^
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760
> 41BA
> When running the app the following error occurs (Windows 7)
> This version of C:\Users\tsanders\cygwin_setup-x86.exe is not
> compatible with th e version of Windows you're running. Check your
> computer's system information to see whether you need a x86 (32-bit)
> or x64 (64-bit) version of the program, and then contact the software publisher.
Likely cause is your AV software blocking the file.
Try saving it with -O innocent_name.exe
> ----
> wget https://cygwin.com/setup-x86_64.exe.sig
> wget https://cygwin.com/setup-x86_64.exe
> gpg --verify setup-x86_64.exe.sig setup-x86_64.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID
> 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
-------^^^^^^^^^^^^^^
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760
> 41BA
Did you copy-pasted wrong console output or what?
--
With best regards,
Andrey Repin
Thursday, September 29, 2016 00:12:02
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"
2016-09-28 21:11 ` Wayne Porter
@ 2016-09-29 2:29 ` Herbert Stocker
2016-09-29 18:40 ` Lee
0 siblings, 1 reply; 8+ messages in thread
From: Herbert Stocker @ 2016-09-29 2:29 UTC (permalink / raw)
To: cygwin
Hi,
On 28.09.2016 23:05, Wayne Porter wrote:
> On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote:
>> gpg --verify setup-x86.exe.sig setup-x86.exe
>> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
>> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg: There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
>
> This appears to be a good signature, just that the key is untrusted. Someone
> else correct me if I'm wrong, but that is typical to see, at least for me.
But doesn't it mean that anybody who manages to hack into your web
server, or who does a man in the middle attack on the HTTP (without S)
connection, is able to replace the setup-x86.exe by a malicious one
and to also provide a corresponding setup-x86.exe.sig, so that the gpg
output will be "good signature but untrusted key"?
my 2 cents.
Herbert
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"
2016-09-29 0:05 ` Thomas Sanders
@ 2016-09-29 5:40 ` Brian Inglis
2016-09-29 18:41 ` Achim Gratz
1 sibling, 0 replies; 8+ messages in thread
From: Brian Inglis @ 2016-09-29 5:40 UTC (permalink / raw)
To: cygwin
On 2016-09-28 16:58, Thomas Sanders wrote:
> ###
> wget -q http://cygwin.com/setup-x86.exe -O ${DESTINATION}/setup-x86.exe
> wget -q http://cygwin.com/setup-x86.exe.sig -O ${DESTINATION}/setup-x86.exe.sig
> wget -q http://cygwin.com/setup-x86_64.exe -O ${DESTINATION}/setup-x86_64.exe
> wget -q http://cygwin.com/setup-x86_64.exe.sig -O ${DESTINATION}/setup-x86_64.exe.sig
> wget -q http://cygwin.com/key/pubring.asc -O ${DESTINATION}/pubring.asc
>
> if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ]
> then
> gpg --import ${DESTINATION}/pubring.asc
> fi
>
> echo "testing ${DESTINATION}/setup-x86.exe"
> gpg --verify ${DESTINATION}/setup-x86.exe.sig ${DESTINATION}/setup-x86.exe
> if [ ${?} -gt 0 ]
> then
> mv ${DESTINATION}/setup-x86.exe ${DESTINATION}/setup-x86.exe.DONT_USE-BAD_SIGNATURE
> fi
>
> echo "testing ${DESTINATION}/setup-x86_64.exe"
> gpg --verify ${DESTINATION}/setup-x86_64.exe.sig ${DESTINATION}/setup-x86_64.exe
> if [ ${?} -gt 0 ]
> then
> mv ${DESTINATION}/setup-x86_64.exe ${DESTINATION}/setup-x86_64.exe.DONT_USE-BAD_SIGNATURE
> fi ###
> Here is the output:
> testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
> gpg: BAD signature from "Cygwin <cygwin@cygwin.com>"
>
> testing /tftpboot/PXE/mirrors/cygwin//setup-x86_64.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
IIRC to suppress BAD and WARNING (it's been a while since I did this)
you install gnupg package, then generate your own key:
[following edited to obscure local details; I edited the details using
the example provided in gpg; skip this step if you have already done it
with your own details]
$ gpg --gen-key
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `~/.gnupg' created
gpg: new configuration file `~/.gnupg/gpg.conf' created
gpg: WARNING: options in `~/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `~/.gnupg/secring.gpg' created
gpg: keyring `~/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Fri 28 Sep 2018 09:17:14 PM GMT
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Heinrich Heine
Email address: heinrichh@duesseldorf.de
Comment: Der Dichter
You selected this USER-ID:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
[*open another terminal and run "find / >& /dev/null &"; then do a Windows
File Explorer search for e; browse the web and wave the mouse around;
type junk into other windows; until the following messages stop appearing:
may take a few minutes unless your system is running background work*]
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 264 more bytes)
............+++++
....+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 86 more bytes)
.....+++++
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 128 more bytes)
............+++++
gpg: ~/.gnupg/trustdb.gpg: trustdb created
gpg: key FFFFFFFF marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2018-09-29
pub 2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]
Key fingerprint = FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
uid Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>
sub 2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]
$ gpg --list-keys
~/.gnupg/pubring.gpg
----------------------------
pub 2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]
uid Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>
sub 2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]
$
Only then can you add the Cygwin key to your key ring:
$ gpg --keyserver keys.gnupg.net --recv-keys 676041BA
then make it good by running:
$ gpg --keyserver keys.gnupg.net --edit-key 676041BA
gpg (GnuPG) 1.4.21; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 1024D/676041BA created: 2008-06-13 expires: never usage: SC
sub 1024g/A1DB7B5C created: 2008-06-13 expires: never usage: E (1). Cygwin <cygwin@cygwin.com>
gpg> trust
pub 1024D/676041BA created: 2008-06-13 expires: never usage: SC
sub 1024g/A1DB7B5C created: 2008-06-13 expires: never usage: E (1). Cygwin <cygwin@cygwin.com>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5 [or maybe 4?]
gpg> q
$
Now your gpg --verify should succeed with a good key.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"
2016-09-29 2:29 ` Herbert Stocker
@ 2016-09-29 18:40 ` Lee
0 siblings, 0 replies; 8+ messages in thread
From: Lee @ 2016-09-29 18:40 UTC (permalink / raw)
To: cygwin
On 9/28/16, Herbert Stocker wrote:
> Hi,
>
> On 28.09.2016 23:05, Wayne Porter wrote:
>> On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote:
>>> gpg --verify setup-x86.exe.sig setup-x86.exe
>>> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID
>>> 676041BA
>>> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg: There is no indication that the signature belongs to the
>>> owner.
>>> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760
>>> 41BA
>>
>> This appears to be a good signature, just that the key is untrusted.
>> Someone
>> else correct me if I'm wrong, but that is typical to see, at least for
>> me.
>
> But doesn't it mean that anybody who manages to hack into your web
> server, or who does a man in the middle attack on the HTTP (without S)
> connection, is able to replace the setup-x86.exe by a malicious one
> and to also provide a corresponding setup-x86.exe.sig, so that the gpg
> output will be "good signature but untrusted key"?
Only if you don't already have a cygwin@cygwin.com key saved:
if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ]
then
gpg --import ${DESTINATION}/pubring.asc
fi
altho checking for exactly one instance instead of an instance seems doubtful.
On the other hand, I didn't even know setupXXX.exe was signed so I
haven't been checking at all :(
It'd be nice if someone could add a signature + public key link on the
front page instead of having to click thru the "fresh install" or
"update" link to find out there's signatures available.
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"
2016-09-29 0:05 ` Thomas Sanders
2016-09-29 5:40 ` Brian Inglis
@ 2016-09-29 18:41 ` Achim Gratz
1 sibling, 0 replies; 8+ messages in thread
From: Achim Gratz @ 2016-09-29 18:41 UTC (permalink / raw)
To: cygwin
Thomas Sanders writes:
> Thanks for the reply, here is the actual script. I must have copy/pasted the wrong info previously.
> ###
> wget -q http://cygwin.com/setup-x86.exe -O ${DESTINATION}/setup-x86.exe
> wget -q http://cygwin.com/setup-x86.exe.sig -O ${DESTINATION}/setup-x86.exe.sig
> wget -q http://cygwin.com/setup-x86_64.exe -O ${DESTINATION}/setup-x86_64.exe
> wget -q http://cygwin.com/setup-x86_64.exe.sig -O ${DESTINATION}/setup-x86_64.exe.sig
> wget -q http://cygwin.com/key/pubring.asc -O ${DESTINATION}/pubring.asc
For checking the signatures to be of any real use, you'd need to use
https at least. Also, you'd need to establish the provenance of the key
independently.
> testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
> gpg: BAD signature from "Cygwin <cygwin@cygwin.com>"
BLODA, most likely. Particularly some stupid heuristic scanner that
thinks that UPX compressed binaries are dangerous just because they use
compression.
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
Wavetables for the Terratec KOMPLEXER:
http://Synth.Stromeko.net/Downloads.html#KomplexerWaves
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2016-09-29 18:40 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-28 21:06 URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" Thomas Sanders
2016-09-28 21:11 ` Wayne Porter
2016-09-29 2:29 ` Herbert Stocker
2016-09-29 18:40 ` Lee
2016-09-28 21:20 ` Andrey Repin
2016-09-29 0:05 ` Thomas Sanders
2016-09-29 5:40 ` Brian Inglis
2016-09-29 18:41 ` Achim Gratz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).