From: Brian Inglis <Brian.Inglis@SystematicSw.ab.ca>
To: cygwin@cygwin.com
Subject: Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"
Date: Thu, 29 Sep 2016 05:40:00 -0000 [thread overview]
Message-ID: <64b6c7d3-2f24-0bb0-d36c-04d4badf37d9@SystematicSw.ab.ca> (raw)
In-Reply-To: <B0BF22335C47694D8CF77683CF7C809C8451E60E@TWHQ-MAIL1.trellisware.com>
On 2016-09-28 16:58, Thomas Sanders wrote:
> ###
> wget -q http://cygwin.com/setup-x86.exe -O ${DESTINATION}/setup-x86.exe
> wget -q http://cygwin.com/setup-x86.exe.sig -O ${DESTINATION}/setup-x86.exe.sig
> wget -q http://cygwin.com/setup-x86_64.exe -O ${DESTINATION}/setup-x86_64.exe
> wget -q http://cygwin.com/setup-x86_64.exe.sig -O ${DESTINATION}/setup-x86_64.exe.sig
> wget -q http://cygwin.com/key/pubring.asc -O ${DESTINATION}/pubring.asc
>
> if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ]
> then
> gpg --import ${DESTINATION}/pubring.asc
> fi
>
> echo "testing ${DESTINATION}/setup-x86.exe"
> gpg --verify ${DESTINATION}/setup-x86.exe.sig ${DESTINATION}/setup-x86.exe
> if [ ${?} -gt 0 ]
> then
> mv ${DESTINATION}/setup-x86.exe ${DESTINATION}/setup-x86.exe.DONT_USE-BAD_SIGNATURE
> fi
>
> echo "testing ${DESTINATION}/setup-x86_64.exe"
> gpg --verify ${DESTINATION}/setup-x86_64.exe.sig ${DESTINATION}/setup-x86_64.exe
> if [ ${?} -gt 0 ]
> then
> mv ${DESTINATION}/setup-x86_64.exe ${DESTINATION}/setup-x86_64.exe.DONT_USE-BAD_SIGNATURE
> fi ###
> Here is the output:
> testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
> gpg: BAD signature from "Cygwin <cygwin@cygwin.com>"
>
> testing /tftpboot/PXE/mirrors/cygwin//setup-x86_64.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
IIRC to suppress BAD and WARNING (it's been a while since I did this)
you install gnupg package, then generate your own key:
[following edited to obscure local details; I edited the details using
the example provided in gpg; skip this step if you have already done it
with your own details]
$ gpg --gen-key
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `~/.gnupg' created
gpg: new configuration file `~/.gnupg/gpg.conf' created
gpg: WARNING: options in `~/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `~/.gnupg/secring.gpg' created
gpg: keyring `~/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Fri 28 Sep 2018 09:17:14 PM GMT
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Heinrich Heine
Email address: heinrichh@duesseldorf.de
Comment: Der Dichter
You selected this USER-ID:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
[*open another terminal and run "find / >& /dev/null &"; then do a Windows
File Explorer search for e; browse the web and wave the mouse around;
type junk into other windows; until the following messages stop appearing:
may take a few minutes unless your system is running background work*]
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 264 more bytes)
............+++++
....+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 86 more bytes)
.....+++++
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 128 more bytes)
............+++++
gpg: ~/.gnupg/trustdb.gpg: trustdb created
gpg: key FFFFFFFF marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2018-09-29
pub 2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]
Key fingerprint = FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
uid Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>
sub 2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]
$ gpg --list-keys
~/.gnupg/pubring.gpg
----------------------------
pub 2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]
uid Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>
sub 2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]
$
Only then can you add the Cygwin key to your key ring:
$ gpg --keyserver keys.gnupg.net --recv-keys 676041BA
then make it good by running:
$ gpg --keyserver keys.gnupg.net --edit-key 676041BA
gpg (GnuPG) 1.4.21; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 1024D/676041BA created: 2008-06-13 expires: never usage: SC
sub 1024g/A1DB7B5C created: 2008-06-13 expires: never usage: E (1). Cygwin <cygwin@cygwin.com>
gpg> trust
pub 1024D/676041BA created: 2008-06-13 expires: never usage: SC
sub 1024g/A1DB7B5C created: 2008-06-13 expires: never usage: E (1). Cygwin <cygwin@cygwin.com>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5 [or maybe 4?]
gpg> q
$
Now your gpg --verify should succeed with a good key.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2016-09-29 4:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-28 21:06 Thomas Sanders
2016-09-28 21:11 ` Wayne Porter
2016-09-29 2:29 ` Herbert Stocker
2016-09-29 18:40 ` Lee
2016-09-28 21:20 ` Andrey Repin
2016-09-29 0:05 ` Thomas Sanders
2016-09-29 5:40 ` Brian Inglis [this message]
2016-09-29 18:41 ` Achim Gratz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=64b6c7d3-2f24-0bb0-d36c-04d4badf37d9@SystematicSw.ab.ca \
--to=brian.inglis@systematicsw.ab.ca \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).