From: Herbert Stocker <hersto@gmx.de>
To: cygwin@cygwin.com
Subject: Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"
Date: Thu, 29 Sep 2016 02:29:00 -0000 [thread overview]
Message-ID: <57EC76BB.9050503@gmx.de> (raw)
In-Reply-To: <20160928210553.GA12532@hdmetxxxx33004g.AD.UCSD.EDU>
Hi,
On 28.09.2016 23:05, Wayne Porter wrote:
> On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote:
>> gpg --verify setup-x86.exe.sig setup-x86.exe
>> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
>> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg: There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
>
> This appears to be a good signature, just that the key is untrusted. Someone
> else correct me if I'm wrong, but that is typical to see, at least for me.
But doesn't it mean that anybody who manages to hack into your web
server, or who does a man in the middle attack on the HTTP (without S)
connection, is able to replace the setup-x86.exe by a malicious one
and to also provide a corresponding setup-x86.exe.sig, so that the gpg
output will be "good signature but untrusted key"?
my 2 cents.
Herbert
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2016-09-29 2:04 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-28 21:06 Thomas Sanders
2016-09-28 21:11 ` Wayne Porter
2016-09-29 2:29 ` Herbert Stocker [this message]
2016-09-29 18:40 ` Lee
2016-09-28 21:20 ` Andrey Repin
2016-09-29 0:05 ` Thomas Sanders
2016-09-29 5:40 ` Brian Inglis
2016-09-29 18:41 ` Achim Gratz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57EC76BB.9050503@gmx.de \
--to=hersto@gmx.de \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).