From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from re-prd-fep-041.btinternet.com (mailomta27-re.btinternet.com [213.120.69.120]) by sourceware.org (Postfix) with ESMTPS id 542EC3858D39 for ; Thu, 30 Dec 2021 23:38:57 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 542EC3858D39 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=dronecode.org.uk Authentication-Results: sourceware.org; spf=none smtp.mailfrom=dronecode.org.uk Received: from re-prd-rgout-004.btmx-prd.synchronoss.net ([10.2.54.7]) by re-prd-fep-041.btinternet.com with ESMTP id <20211230233856.BKM24157.re-prd-fep-041.btinternet.com@re-prd-rgout-004.btmx-prd.synchronoss.net>; Thu, 30 Dec 2021 23:38:56 +0000 Authentication-Results: btinternet.com; auth=pass (PLAIN) smtp.auth=jonturney@btinternet.com; bimi=skipped X-SNCR-Rigid: 613A901C0EE84DAB X-Originating-IP: [81.129.146.209] X-OWM-Source-IP: 81.129.146.209 (GB) X-OWM-Env-Sender: jonturney@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedvuddruddvgedguddvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtjeertddtfeejnecuhfhrohhmpeflohhnucfvuhhrnhgvhicuoehjohhnrdhtuhhrnhgvhiesughrohhnvggtohguvgdrohhrghdruhhkqeenucggtffrrghtthgvrhhnpeehudeuveeujeeujeegueefhedttdekvedtudeileefteetfeefjeejudekfefggfenucffohhmrghinheptgihghifihhnrdgtohhmnecukfhppeekuddruddvledrudegiedrvddtleenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopegludelvddrudeikedruddruddtfegnpdhinhgvthepkedurdduvdelrddugeeirddvtdelpdhmrghilhhfrhhomhepjhhonhdrthhurhhnvgihsegurhhonhgvtghouggvrdhorhhgrdhukhdprhgtphhtthhopegthihgfihinhestgihghifihhnrdgtohhmpdhrtghpthhtohepghhrvghgrdifihhllhhirghmshhonhegheesghhmrghilhdrtghomh X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean Received: from [192.168.1.103] (81.129.146.209) by re-prd-rgout-004.btmx-prd.synchronoss.net (5.8.716.04) (authenticated as jonturney@btinternet.com) id 613A901C0EE84DAB; Thu, 30 Dec 2021 23:38:56 +0000 Message-ID: <46fb394d-66dd-8648-b961-4a13411cc7ed@dronecode.org.uk> Date: Thu, 30 Dec 2021 23:38:52 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.4.1 Subject: Re: Unable to Verify 64 bit Installer on Windows Content-Language: en-GB To: Greg Williamson , The Cygwin Mailing List References: From: Jon Turney In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1193.4 required=5.0 tests=BAYES_00, FORGED_SPF_HELO, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Dec 2021 23:38:59 -0000 On 30/12/2021 21:24, Greg Williamson wrote: > Hello, > > While attempting to verify the installer found here: > https://cygwin.com/install.html > > GPG verification for "setup-x86_64.exe" failed with "BAD signature from > "Cygwin ". I also created a SHA512 hash of the installer > and it did not match the one posted here: > https://cygwin.com/sha512.sum > > As a sanity check I attempted to verify the 32bit version "setup-x86.exe". > The SHA512 matched and the GPG signature verification succeeded. > > I thought I'd report here in case there was a security issue. Thank you in > advance for your assistance! > At 2021-Dec-30 19:14 UTC I downgraded the setup executables being served to a previous version, to give some more time to investigate an issue reported with setup 2.911. I'm going to guess that was the reason for this. However, please note that some caching outside of our control must have occurred, as at all times, the signatures and hashes presented were consistent and correct.