* Unable to Verify 64 bit Installer on Windows
@ 2021-12-30 21:24 Greg Williamson
2021-12-30 21:51 ` Hamish McIntyre-Bhatty
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Greg Williamson @ 2021-12-30 21:24 UTC (permalink / raw)
To: cygwin
Hello,
While attempting to verify the installer found here:
https://cygwin.com/install.html
GPG verification for "setup-x86_64.exe" failed with "BAD signature from
"Cygwin <cygwin@cygwin.com>". I also created a SHA512 hash of the installer
and it did not match the one posted here:
https://cygwin.com/sha512.sum
As a sanity check I attempted to verify the 32bit version "setup-x86.exe".
The SHA512 matched and the GPG signature verification succeeded.
I thought I'd report here in case there was a security issue. Thank you in
advance for your assistance!
~Greg
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Unable to Verify 64 bit Installer on Windows
2021-12-30 21:24 Unable to Verify 64 bit Installer on Windows Greg Williamson
@ 2021-12-30 21:51 ` Hamish McIntyre-Bhatty
2021-12-30 22:58 ` Brian Inglis
2021-12-30 23:38 ` Jon Turney
2 siblings, 0 replies; 4+ messages in thread
From: Hamish McIntyre-Bhatty @ 2021-12-30 21:51 UTC (permalink / raw)
To: cygwin
[-- Attachment #1.1.1: Type: text/plain, Size: 889 bytes --]
On 30/12/2021 21:24, Greg Williamson wrote:
> Hello,
>
> While attempting to verify the installer found here:
> https://cygwin.com/install.html
>
> GPG verification for "setup-x86_64.exe" failed with "BAD signature from
> "Cygwin <cygwin@cygwin.com>". I also created a SHA512 hash of the
> installer
> and it did not match the one posted here:
> https://cygwin.com/sha512.sum
>
> As a sanity check I attempted to verify the 32bit version "setup-x86.exe".
> The SHA512 matched and the GPG signature verification succeeded.
>
> I thought I'd report here in case there was a security issue. Thank you in
> advance for your assistance!
>
> ~Greg
>
This is concerning. I recently re-installed Cygwin so I'm glad I marked
my packages as test. I hope those weren't compromised installers, though
hopefully my antivirus would have stopped anything nefarious.
Hamish
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3175 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Unable to Verify 64 bit Installer on Windows
2021-12-30 21:24 Unable to Verify 64 bit Installer on Windows Greg Williamson
2021-12-30 21:51 ` Hamish McIntyre-Bhatty
@ 2021-12-30 22:58 ` Brian Inglis
2021-12-30 23:38 ` Jon Turney
2 siblings, 0 replies; 4+ messages in thread
From: Brian Inglis @ 2021-12-30 22:58 UTC (permalink / raw)
To: cygwin
On 2021-12-30 14:24, Greg Williamson wrote:
> While attempting to verify the installer found here:
> https://cygwin.com/install.html
>
> GPG verification for "setup-x86_64.exe" failed with "BAD signature from
> "Cygwin <cygwin@cygwin.com>". I also created a SHA512 hash of the installer
> and it did not match the one posted here:
> https://cygwin.com/sha512.sum
Did you perhaps download and rename the test setup 2.910 release?
It's normally best to post commands and output verbatim.
Sometimes you may have to manually run gpg2 --update-trustdb.
> As a sanity check I attempted to verify the 32bit version "setup-x86.exe".
> The SHA512 matched and the GPG signature verification succeeded.
Were the keys used the same as for x86_64?
> I thought I'd report here in case there was a security issue. Thank you in
> advance for your assistance!
All look good to me:
$ gpg2 --verify ~/mirror/x86/setup.xz{.sig,}
gpg: Signature made 2021 Dec 23 Thu 04:14:40 MST
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ gpg2 --verify ~/mirror/x86/setup.ini{.sig,}
gpg: Signature made 2021 Dec 23 Thu 04:14:28 MST
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ gpg2 --verify ~/mirror/x86/setup-x86.exe{.sig,}
gpg: Signature made 2021 Jul 15 Thu 05:59:50 MDT
gpg: using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
gpg: Signature made 2021 Jul 15 Thu 05:59:50 MDT
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ cd ~/mirror/x86/ ; sha512sum --check --ignore-missing sha512.sum
setup.ini: OK
setup.ini.sig: OK
setup.xz: OK
setup.xz.sig: OK
setup-x86.exe: OK
$ gpg2 --verify ~/mirror/x86_64/setup.xz{.sig,}
gpg: Signature made 2021 Dec 12 Sun 15:14:43 MST
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ gpg2 --verify ~/mirror/x86_64/setup.ini{.sig,}
gpg: Signature made 2021 Dec 12 Sun 15:14:31 MST
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ gpg2 --verify ~/mirror/x86_64/setup-x86_64.exe{.sig,}
gpg: Signature made 2021 Jul 15 Thu 06:05:58 MDT
gpg: using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
gpg: Signature made 2021 Jul 15 Thu 06:05:58 MDT
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
$ cd ~/mirror/x86_64/ ; sha512sum --check --ignore-missing sha512.sum
setup.ini: OK
setup.ini.sig: OK
setup.xz: OK
setup.xz.sig: OK
setup-x86_64.exe: OK
I've concatenated the downloaded cygwin.com and mirror arch sha512.sum.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Unable to Verify 64 bit Installer on Windows
2021-12-30 21:24 Unable to Verify 64 bit Installer on Windows Greg Williamson
2021-12-30 21:51 ` Hamish McIntyre-Bhatty
2021-12-30 22:58 ` Brian Inglis
@ 2021-12-30 23:38 ` Jon Turney
2 siblings, 0 replies; 4+ messages in thread
From: Jon Turney @ 2021-12-30 23:38 UTC (permalink / raw)
To: Greg Williamson, The Cygwin Mailing List
On 30/12/2021 21:24, Greg Williamson wrote:
> Hello,
>
> While attempting to verify the installer found here:
> https://cygwin.com/install.html
>
> GPG verification for "setup-x86_64.exe" failed with "BAD signature from
> "Cygwin <cygwin@cygwin.com>". I also created a SHA512 hash of the installer
> and it did not match the one posted here:
> https://cygwin.com/sha512.sum
>
> As a sanity check I attempted to verify the 32bit version "setup-x86.exe".
> The SHA512 matched and the GPG signature verification succeeded.
>
> I thought I'd report here in case there was a security issue. Thank you in
> advance for your assistance!
>
At 2021-Dec-30 19:14 UTC I downgraded the setup executables being served
to a previous version, to give some more time to investigate an issue
reported with setup 2.911.
I'm going to guess that was the reason for this.
However, please note that some caching outside of our control must have
occurred, as at all times, the signatures and hashes presented were
consistent and correct.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-12-30 23:38 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-30 21:24 Unable to Verify 64 bit Installer on Windows Greg Williamson
2021-12-30 21:51 ` Hamish McIntyre-Bhatty
2021-12-30 22:58 ` Brian Inglis
2021-12-30 23:38 ` Jon Turney
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).