From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-return-205316-listarch-cygwin=sourceware.org@cygwin.com>
Received: (qmail 64817 invoked by alias); 29 Sep 2016 04:08:50 -0000
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Received: (qmail 64809 invoked by uid 89); 29 Sep 2016 04:08:49 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=3.3 required=5.0 tests=AWL,BAYES_50,EXECUTABLE_URI,KAM_EXEURI,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=2016-09-29, userid, H*RU:64.59.134.12, Hx-spam-relays-external:64.59.134.12
X-HELO: smtp-out-no.shaw.ca
Received: from smtp-out-no.shaw.ca (HELO smtp-out-no.shaw.ca) (64.59.134.12) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 29 Sep 2016 04:08:39 +0000
Received: from [192.168.1.100] ([174.0.238.184])	by shaw.ca with SMTP	id pSeCblAvmfI0apSeDbU3yx; Wed, 28 Sep 2016 22:08:38 -0600
X-Authority-Analysis: v=2.2 cv=JOx5iICb c=1 sm=1 tr=0 a=WqCeCkldcEjBO3QZneQsCg==:117 a=WqCeCkldcEjBO3QZneQsCg==:17 a=w_pzkKWiAAAA:8 a=IkcTkHD0fZMA:10 a=zGGjxxUDAAAA:8 a=Q-wW1a7ankSrvAYKVx8A:9 a=7Zwj6sZBwVKJAoWSPKxL6X1jA+E=:19 a=5JUVm3fbaY58p7yF:21 a=FMASf0mfamzu5Vkf:21 a=QEXdDO2ut3YA:10 a=YQIJh5dqO5EA:10 a=sRI3_1zDfAgwuvI8zelB:22 a=t77UKEx5sq5RR-Q8SVSL:22
Reply-To: Brian.Inglis@SystematicSw.ab.ca
Subject: Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"
References: <B0BF22335C47694D8CF77683CF7C809C8451E464@TWHQ-MAIL1.trellisware.com> <125363965.20160929001342@yandex.ru> <B0BF22335C47694D8CF77683CF7C809C8451E60E@TWHQ-MAIL1.trellisware.com>
To: cygwin@cygwin.com
From: Brian Inglis <Brian.Inglis@SystematicSw.ab.ca>
Message-ID: <64b6c7d3-2f24-0bb0-d36c-04d4badf37d9@SystematicSw.ab.ca>
Date: Thu, 29 Sep 2016 05:40:00 -0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <B0BF22335C47694D8CF77683CF7C809C8451E60E@TWHQ-MAIL1.trellisware.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfJaWSR2H1rHxJPM35+XyeKA/JzLLTnBv5RPS2Nrrb1yNzEPNPnoFQzc1brojxa7HqXJF/tgBFf/dY6PekuIZL9yjxr5Hf2WTQKT5yOViie2qQVVekgbs lXeUkbigUH74gv26h+usMSK6mTaGTnn5rwawQx+GE50Zpy+VazcmTJl0kC+7/SRrrIBHkR4Uh92HFA==
X-IsSubscribed: yes
X-SW-Source: 2016-09/txt/msg00389.txt.bz2

On 2016-09-28 16:58, Thomas Sanders wrote:
> ###
>   wget -q http://cygwin.com/setup-x86.exe        -O ${DESTINATION}/setup-x86.exe
>   wget -q http://cygwin.com/setup-x86.exe.sig    -O ${DESTINATION}/setup-x86.exe.sig
>   wget -q http://cygwin.com/setup-x86_64.exe     -O ${DESTINATION}/setup-x86_64.exe
>   wget -q http://cygwin.com/setup-x86_64.exe.sig -O ${DESTINATION}/setup-x86_64.exe.sig
>   wget -q http://cygwin.com/key/pubring.asc      -O ${DESTINATION}/pubring.asc
>
>   if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ]
>   then
>     gpg --import ${DESTINATION}/pubring.asc
>   fi
>
>   echo "testing ${DESTINATION}/setup-x86.exe"
>   gpg --verify ${DESTINATION}/setup-x86.exe.sig ${DESTINATION}/setup-x86.exe
>   if [ ${?} -gt 0 ]
>   then
>     mv ${DESTINATION}/setup-x86.exe ${DESTINATION}/setup-x86.exe.DONT_USE-BAD_SIGNATURE
>   fi
>
>   echo "testing ${DESTINATION}/setup-x86_64.exe"
>   gpg --verify ${DESTINATION}/setup-x86_64.exe.sig ${DESTINATION}/setup-x86_64.exe
>   if [ ${?} -gt 0 ]
>   then
>     mv ${DESTINATION}/setup-x86_64.exe ${DESTINATION}/setup-x86_64.exe.DONT_USE-BAD_SIGNATURE
>   fi ###
> Here is the output:
> testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA
> gpg: BAD signature from "Cygwin <cygwin@cygwin.com>"
>
> testing /tftpboot/PXE/mirrors/cygwin//setup-x86_64.exe
> gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA
> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

IIRC to suppress BAD and WARNING (it's been a while since I did this)
you install gnupg package, then generate your own key:
[following edited to obscure local details; I edited the details using
the example provided in gpg; skip this step if you have already done it
with your own details]

$ gpg --gen-key
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `~/.gnupg' created
gpg: new configuration file `~/.gnupg/gpg.conf' created
gpg: WARNING: options in `~/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `~/.gnupg/secring.gpg' created
gpg: keyring `~/.gnupg/pubring.gpg' created

Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
          0 = key does not expire
       <n>  = key expires in n days
       <n>w = key expires in n weeks
       <n>m = key expires in n months
       <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Fri 28 Sep 2018 09:17:14 PM GMT
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
     "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Heinrich Heine
Email address: heinrichh@duesseldorf.de
Comment: Der Dichter
You selected this USER-ID:
     "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

[*open another terminal and run "find / >& /dev/null &"; then do a Windows
File Explorer search for e; browse the web and wave the mouse around;
type junk into other windows; until the following messages stop appearing:
may take a few minutes unless your system is running background work*]

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 264 more bytes)
............+++++
....+++++

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 86 more bytes)
.....+++++

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 128 more bytes)
............+++++

gpg: ~/.gnupg/trustdb.gpg: trustdb created
gpg: key FFFFFFFF marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2018-09-29
pub   2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]
       Key fingerprint = FFFF FFFF FFFF FFFF FFFF  FFFF FFFF FFFF FFFF FFFF
uid                  Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>
sub   2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]

$ gpg --list-keys
~/.gnupg/pubring.gpg
----------------------------
pub   2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]
uid                  Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>
sub   2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29]

$

Only then can you add the Cygwin key to your key ring:

$ gpg --keyserver keys.gnupg.net --recv-keys 676041BA

then make it good by running:

$ gpg --keyserver keys.gnupg.net --edit-key 676041BA
gpg (GnuPG) 1.4.21; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  1024D/676041BA  created: 2008-06-13  expires: never       usage: SC
sub  1024g/A1DB7B5C  created: 2008-06-13  expires: never       usage: E (1). Cygwin <cygwin@cygwin.com>

gpg> trust
pub  1024D/676041BA  created: 2008-06-13  expires: never       usage: SC
sub  1024g/A1DB7B5C  created: 2008-06-13  expires: never       usage: E (1). Cygwin <cygwin@cygwin.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

   1 = I don't know or won't say
   2 = I do NOT trust
   3 = I trust marginally
   4 = I trust fully
   5 = I trust ultimately
   m = back to the main menu

Your decision? 5 [or maybe 4?]

gpg> q

$

Now your gpg --verify should succeed with a good key.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple