From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 29396 invoked by alias); 29 Sep 2016 02:04:59 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 29377 invoked by uid 89); 29 Sep 2016 02:04:58 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.4 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=ham version=3.3.2 spammy=Wayne, attack, herbert, H*r:Nemesis X-HELO: mout.gmx.net Received: from mout.gmx.net (HELO mout.gmx.net) (212.227.17.22) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 29 Sep 2016 02:04:48 +0000 Received: from [127.0.0.1] ([46.163.75.188]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MV6PJ-1bQI8e0tm1-00YQ3P; Thu, 29 Sep 2016 04:04:45 +0200 Subject: Re: URGENT: BAD signature from "Cygwin " To: cygwin@cygwin.com References: <20160928210553.GA12532@hdmetxxxx33004g.AD.UCSD.EDU> From: Herbert Stocker Message-ID: <57EC76BB.9050503@gmx.de> Date: Thu, 29 Sep 2016 02:29:00 -0000 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: <20160928210553.GA12532@hdmetxxxx33004g.AD.UCSD.EDU> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-UI-Out-Filterresults: notjunk:1;V01:K0:3Ggf2yw44y4=:bS6Q47Z20jBBSakYBl6eiZ ACdieegyipfyl8HZMC5SzePg7N3MQ9ywDUhCsSW0vDbkKwflQGdHUzETcB+aXwKiW9tMV2ZBj iSx4oRZc0Zu9RC19ipSv9e6ZMClnHAe3qFta4X2VkIbPvJwFL4fthgKTrnb9qI1DNM4Zw9Iin 5J98RtcXYu97zAiLAN1YanV9QL8CUcHcGqlL4bKl+GEu3xkgoOT187lG1Bf83TsDLqmGBG+W7 OWEw6DwauSeCn3o9I27M0/5s9s0myPY+EUAbRT5ZRqthnaYgKDIQJ6OM8fFDeYrS4Pw4lTS1W Sun9lNmGi3lWuD92Cd/W7sWW0TZqelsU3DJ56CkbK5wvGLweNk6H6wxxuQ6EEuGOrtiLouP+U JkgJ0aSFVNtJ30ZFvdmiLTf8w3CrTr5E7U6+wsatK4YLjKigjhoK9wqsqE8YrwPu1XtPKVtRe ZYElXD8YnXY/mUKOzkSF6IiUNgXH0yqUbalzR8A1jEn3r9iuUE7w5VNHX3RaiqFRd0X2t1CE/ V4y5+VVjLsYW/VBUYmRm+GxJAt+Ac9g7fbDNzu28pdxl/alaO1nR6naWJpik4TCJ4rPi5YCiq aeefmrD4MBXPRjy5RfDNTOnqpTRSOWPInTt7FdqU/EChr0eAYSQzDKcABjOek9mxHxTUmvciO pyTL7D0X8UIGJ6PnpNrRFQbo3Um9P/1Rk9qXEQw/dEkGwBnZ0KW6mDLC1R0aaRsedUqA+b1DJ Z9qGwEPup8606AJeIpqHylPAyqve3yPH+aro/oh862rhvOaVxSunuP4DBZbOHJheTEOeJgIWV XJNebJS X-IsSubscribed: yes X-SW-Source: 2016-09/txt/msg00387.txt.bz2 Hi, On 28.09.2016 23:05, Wayne Porter wrote: > On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote: >> gpg --verify setup-x86.exe.sig setup-x86.exe >> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA >> gpg: Good signature from "Cygwin " >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the owner. >> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA > > This appears to be a good signature, just that the key is untrusted. Someone > else correct me if I'm wrong, but that is typical to see, at least for me. But doesn't it mean that anybody who manages to hack into your web server, or who does a man in the middle attack on the HTTP (without S) connection, is able to replace the setup-x86.exe by a malicious one and to also provide a corresponding setup-x86.exe.sig, so that the gpg output will be "good signature but untrusted key"? my 2 cents. Herbert -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple