From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from omta002.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) by sourceware.org (Postfix) with ESMTPS id E2A963858D28 for ; Thu, 30 Dec 2021 22:58:56 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org E2A963858D28 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSw.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=systematicsw.ab.ca Received: from shw-obgw-4002a.ext.cloudfilter.net ([10.228.9.250]) by cmsmtp with ESMTP id 2tttnxSmNztEj34Nrn3Zr4; Thu, 30 Dec 2021 22:58:55 +0000 Received: from [192.168.1.105] ([68.147.0.90]) by cmsmtp with ESMTP id 34Nrnd9cq5liv34NrnTK7J; Thu, 30 Dec 2021 22:58:55 +0000 X-Authority-Analysis: v=2.4 cv=IfaU5Ema c=1 sm=1 tr=0 ts=61ce39af a=T+ovY1NZ+FAi/xYICV7Bgg==:117 a=T+ovY1NZ+FAi/xYICV7Bgg==:17 a=IkcTkHD0fZMA:10 a=w_pzkKWiAAAA:8 a=TImcKGuyeGIbufSLrCcA:9 a=QEXdDO2ut3YA:10 a=WK-i71OpKu4A:10 a=sRI3_1zDfAgwuvI8zelB:22 Message-ID: <73fb3666-c8cf-8a90-3717-51af6165f71a@SystematicSw.ab.ca> Date: Thu, 30 Dec 2021 15:58:54 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.4.1 Reply-To: cygwin@cygwin.com Subject: Re: Unable to Verify 64 bit Installer on Windows Content-Language: en-CA To: cygwin@cygwin.com References: From: Brian Inglis Organization: Systematic Software In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4xfCywXN2xOE/TNJKmBANa9Btn5t/GgA2Xha2x4+gjqrrG33M9lLO+L2cf9stIB0nuHo4OOPZ+BqcjYuXoTH7S2tJPTDWwqrS7BiAXbnl2K3sBFkpH0Y5j kZSZ2ojc1tN/8CWwl5WXIPT41Rna+KOPpB3cdTfP2iMhEoM2lP+VrxeedJCxyD4iD3FLjV5tqIM+uUwAbzF2Tc+ohs/xg3clc3E= X-Spam-Status: No, score=-1164.5 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, KAM_LOTSOFHASH, NICE_REPLY_A, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Dec 2021 22:58:59 -0000 On 2021-12-30 14:24, Greg Williamson wrote: > While attempting to verify the installer found here: > https://cygwin.com/install.html > > GPG verification for "setup-x86_64.exe" failed with "BAD signature from > "Cygwin ". I also created a SHA512 hash of the installer > and it did not match the one posted here: > https://cygwin.com/sha512.sum Did you perhaps download and rename the test setup 2.910 release? It's normally best to post commands and output verbatim. Sometimes you may have to manually run gpg2 --update-trustdb. > As a sanity check I attempted to verify the 32bit version "setup-x86.exe". > The SHA512 matched and the GPG signature verification succeeded. Were the keys used the same as for x86_64? > I thought I'd report here in case there was a security issue. Thank you in > advance for your assistance! All look good to me: $ gpg2 --verify ~/mirror/x86/setup.xz{.sig,} gpg: Signature made 2021 Dec 23 Thu 04:14:40 MST gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300 gpg: Good signature from "Cygwin " [full] $ gpg2 --verify ~/mirror/x86/setup.ini{.sig,} gpg: Signature made 2021 Dec 23 Thu 04:14:28 MST gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300 gpg: Good signature from "Cygwin " [full] $ gpg2 --verify ~/mirror/x86/setup-x86.exe{.sig,} gpg: Signature made 2021 Jul 15 Thu 05:59:50 MDT gpg: using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA gpg: Good signature from "Cygwin " [full] gpg: Signature made 2021 Jul 15 Thu 05:59:50 MDT gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300 gpg: Good signature from "Cygwin " [full] $ cd ~/mirror/x86/ ; sha512sum --check --ignore-missing sha512.sum setup.ini: OK setup.ini.sig: OK setup.xz: OK setup.xz.sig: OK setup-x86.exe: OK $ gpg2 --verify ~/mirror/x86_64/setup.xz{.sig,} gpg: Signature made 2021 Dec 12 Sun 15:14:43 MST gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300 gpg: Good signature from "Cygwin " [full] $ gpg2 --verify ~/mirror/x86_64/setup.ini{.sig,} gpg: Signature made 2021 Dec 12 Sun 15:14:31 MST gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300 gpg: Good signature from "Cygwin " [full] $ gpg2 --verify ~/mirror/x86_64/setup-x86_64.exe{.sig,} gpg: Signature made 2021 Jul 15 Thu 06:05:58 MDT gpg: using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA gpg: Good signature from "Cygwin " [full] gpg: Signature made 2021 Jul 15 Thu 06:05:58 MDT gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300 gpg: Good signature from "Cygwin " [full] $ cd ~/mirror/x86_64/ ; sha512sum --check --ignore-missing sha512.sum setup.ini: OK setup.ini.sig: OK setup.xz: OK setup.xz.sig: OK setup-x86_64.exe: OK I've concatenated the downloaded cygwin.com and mirror arch sha512.sum. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. [Data in binary units and prefixes, physical quantities in SI.]