* URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" @ 2016-09-28 21:06 Thomas Sanders 2016-09-28 21:11 ` Wayne Porter 2016-09-28 21:20 ` Andrey Repin 0 siblings, 2 replies; 8+ messages in thread From: Thomas Sanders @ 2016-09-28 21:06 UTC (permalink / raw) To: cygwin FYI, I don't know if this is working as designed (please see the application error below) wget https://cygwin.com/setup-x86.exe wget https://cygwin.com/setup-x86.exe.sig gpg --verify setup-x86.exe.sig setup-x86.exe gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA gpg: Good signature from "Cygwin <cygwin@cygwin.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA When running the app the following error occurs (Windows 7) This version of C:\Users\tsanders\cygwin_setup-x86.exe is not compatible with th e version of Windows you're running. Check your computer's system information to see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher. ---- wget https://cygwin.com/setup-x86_64.exe.sig wget https://cygwin.com/setup-x86_64.exe gpg --verify setup-x86_64.exe.sig setup-x86_64.exe gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA gpg: Good signature from "Cygwin <cygwin@cygwin.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA -- Thomas Sanders | Sr. Network Systems Administrator TrellisWare Technologies, Inc. Office/FAX: 858-753-1654 | Mobile: 619-512-3311 -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" 2016-09-28 21:06 URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" Thomas Sanders @ 2016-09-28 21:11 ` Wayne Porter 2016-09-29 2:29 ` Herbert Stocker 2016-09-28 21:20 ` Andrey Repin 1 sibling, 1 reply; 8+ messages in thread From: Wayne Porter @ 2016-09-28 21:11 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 1150 bytes --] On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote: > gpg --verify setup-x86.exe.sig setup-x86.exe > gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA > gpg: Good signature from "Cygwin <cygwin@cygwin.com>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA This appears to be a good signature, just that the key is untrusted. Someone else correct me if I'm wrong, but that is typical to see, at least for me. > When running the app the following error occurs (Windows 7) > > This version of C:\Users\tsanders\cygwin_setup-x86.exe is not compatible with th > e version of Windows you're running. Check your computer's system information to > see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and > then contact the software publisher. What is the output of the following from your system: echo %PROCESSOR_IDENTIFIER% %PROCESSOR_ARCHITECTURE% Wayne Porter [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 455 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" 2016-09-28 21:11 ` Wayne Porter @ 2016-09-29 2:29 ` Herbert Stocker 2016-09-29 18:40 ` Lee 0 siblings, 1 reply; 8+ messages in thread From: Herbert Stocker @ 2016-09-29 2:29 UTC (permalink / raw) To: cygwin Hi, On 28.09.2016 23:05, Wayne Porter wrote: > On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote: >> gpg --verify setup-x86.exe.sig setup-x86.exe >> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA >> gpg: Good signature from "Cygwin <cygwin@cygwin.com>" >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the owner. >> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA > > This appears to be a good signature, just that the key is untrusted. Someone > else correct me if I'm wrong, but that is typical to see, at least for me. But doesn't it mean that anybody who manages to hack into your web server, or who does a man in the middle attack on the HTTP (without S) connection, is able to replace the setup-x86.exe by a malicious one and to also provide a corresponding setup-x86.exe.sig, so that the gpg output will be "good signature but untrusted key"? my 2 cents. Herbert -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" 2016-09-29 2:29 ` Herbert Stocker @ 2016-09-29 18:40 ` Lee 0 siblings, 0 replies; 8+ messages in thread From: Lee @ 2016-09-29 18:40 UTC (permalink / raw) To: cygwin On 9/28/16, Herbert Stocker wrote: > Hi, > > On 28.09.2016 23:05, Wayne Porter wrote: >> On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote: >>> gpg --verify setup-x86.exe.sig setup-x86.exe >>> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID >>> 676041BA >>> gpg: Good signature from "Cygwin <cygwin@cygwin.com>" >>> gpg: WARNING: This key is not certified with a trusted signature! >>> gpg: There is no indication that the signature belongs to the >>> owner. >>> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 >>> 41BA >> >> This appears to be a good signature, just that the key is untrusted. >> Someone >> else correct me if I'm wrong, but that is typical to see, at least for >> me. > > But doesn't it mean that anybody who manages to hack into your web > server, or who does a man in the middle attack on the HTTP (without S) > connection, is able to replace the setup-x86.exe by a malicious one > and to also provide a corresponding setup-x86.exe.sig, so that the gpg > output will be "good signature but untrusted key"? Only if you don't already have a cygwin@cygwin.com key saved: if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ] then gpg --import ${DESTINATION}/pubring.asc fi altho checking for exactly one instance instead of an instance seems doubtful. On the other hand, I didn't even know setupXXX.exe was signed so I haven't been checking at all :( It'd be nice if someone could add a signature + public key link on the front page instead of having to click thru the "fresh install" or "update" link to find out there's signatures available. Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" 2016-09-28 21:06 URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" Thomas Sanders 2016-09-28 21:11 ` Wayne Porter @ 2016-09-28 21:20 ` Andrey Repin 2016-09-29 0:05 ` Thomas Sanders 1 sibling, 1 reply; 8+ messages in thread From: Andrey Repin @ 2016-09-28 21:20 UTC (permalink / raw) To: Thomas Sanders, cygwin Greetings, Thomas Sanders! > FYI, I don't know if this is working as designed (please see the application error below) > wget https://cygwin.com/setup-x86.exe > wget https://cygwin.com/setup-x86.exe.sig > gpg --verify setup-x86.exe.sig setup-x86.exe > gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA > gpg: Good signature from "Cygwin <cygwin@cygwin.com>" -------^^^^^^^^^^^^^^ > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA > When running the app the following error occurs (Windows 7) > This version of C:\Users\tsanders\cygwin_setup-x86.exe is not compatible with th > e version of Windows you're running. Check your computer's system information to > see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and > then contact the software publisher. Likely cause is your AV software blocking the file. Try saving it with -O innocent_name.exe > ---- > wget https://cygwin.com/setup-x86_64.exe.sig > wget https://cygwin.com/setup-x86_64.exe > gpg --verify setup-x86_64.exe.sig setup-x86_64.exe > gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA > gpg: Good signature from "Cygwin <cygwin@cygwin.com>" -------^^^^^^^^^^^^^^ > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA Did you copy-pasted wrong console output or what? -- With best regards, Andrey Repin Thursday, September 29, 2016 00:12:02 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" 2016-09-28 21:20 ` Andrey Repin @ 2016-09-29 0:05 ` Thomas Sanders 2016-09-29 5:40 ` Brian Inglis 2016-09-29 18:41 ` Achim Gratz 0 siblings, 2 replies; 8+ messages in thread From: Thomas Sanders @ 2016-09-29 0:05 UTC (permalink / raw) To: cygwin Thanks for the reply, here is the actual script. I must have copy/pasted the wrong info previously. ### wget -q http://cygwin.com/setup-x86.exe -O ${DESTINATION}/setup-x86.exe wget -q http://cygwin.com/setup-x86.exe.sig -O ${DESTINATION}/setup-x86.exe.sig wget -q http://cygwin.com/setup-x86_64.exe -O ${DESTINATION}/setup-x86_64.exe wget -q http://cygwin.com/setup-x86_64.exe.sig -O ${DESTINATION}/setup-x86_64.exe.sig wget -q http://cygwin.com/key/pubring.asc -O ${DESTINATION}/pubring.asc if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ] then gpg --import ${DESTINATION}/pubring.asc fi echo "testing ${DESTINATION}/setup-x86.exe" gpg --verify ${DESTINATION}/setup-x86.exe.sig ${DESTINATION}/setup-x86.exe if [ ${?} -gt 0 ] then mv ${DESTINATION}/setup-x86.exe ${DESTINATION}/setup-x86.exe.DONT_USE-BAD_SIGNATURE fi echo "testing ${DESTINATION}/setup-x86_64.exe" gpg --verify ${DESTINATION}/setup-x86_64.exe.sig ${DESTINATION}/setup-x86_64.exe if [ ${?} -gt 0 ] then mv ${DESTINATION}/setup-x86_64.exe ${DESTINATION}/setup-x86_64.exe.DONT_USE-BAD_SIGNATURE fi ### Here is the output: testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA gpg: BAD signature from "Cygwin <cygwin@cygwin.com>" testing /tftpboot/PXE/mirrors/cygwin//setup-x86_64.exe gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA gpg: Good signature from "Cygwin <cygwin@cygwin.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA -- Thomas Sanders | Sr. Network Systems Administrator TrellisWare Technologies, Inc. Office/FAX: 858-753-1654 | Mobile: 619-512-3311 -----Original Message----- From: Andrey Repin [mailto:anrdaemon@yandex.ru] Sent: Wednesday, September 28, 2016 2:14 PM To: Thomas Sanders; cygwin@cygwin.com Subject: Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" Greetings, Thomas Sanders! > FYI, I don't know if this is working as designed (please see the > application error below) wget https://cygwin.com/setup-x86.exe wget > https://cygwin.com/setup-x86.exe.sig > gpg --verify setup-x86.exe.sig setup-x86.exe > gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID > 676041BA > gpg: Good signature from "Cygwin <cygwin@cygwin.com>" -------^^^^^^^^^^^^^^ > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 > 41BA > When running the app the following error occurs (Windows 7) > This version of C:\Users\tsanders\cygwin_setup-x86.exe is not > compatible with th e version of Windows you're running. Check your > computer's system information to see whether you need a x86 (32-bit) > or x64 (64-bit) version of the program, and then contact the software publisher. Likely cause is your AV software blocking the file. Try saving it with -O innocent_name.exe > ---- > wget https://cygwin.com/setup-x86_64.exe.sig > wget https://cygwin.com/setup-x86_64.exe > gpg --verify setup-x86_64.exe.sig setup-x86_64.exe > gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID > 676041BA > gpg: Good signature from "Cygwin <cygwin@cygwin.com>" -------^^^^^^^^^^^^^^ > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 > 41BA Did you copy-pasted wrong console output or what? -- With best regards, Andrey Repin Thursday, September 29, 2016 00:12:02 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" 2016-09-29 0:05 ` Thomas Sanders @ 2016-09-29 5:40 ` Brian Inglis 2016-09-29 18:41 ` Achim Gratz 1 sibling, 0 replies; 8+ messages in thread From: Brian Inglis @ 2016-09-29 5:40 UTC (permalink / raw) To: cygwin On 2016-09-28 16:58, Thomas Sanders wrote: > ### > wget -q http://cygwin.com/setup-x86.exe -O ${DESTINATION}/setup-x86.exe > wget -q http://cygwin.com/setup-x86.exe.sig -O ${DESTINATION}/setup-x86.exe.sig > wget -q http://cygwin.com/setup-x86_64.exe -O ${DESTINATION}/setup-x86_64.exe > wget -q http://cygwin.com/setup-x86_64.exe.sig -O ${DESTINATION}/setup-x86_64.exe.sig > wget -q http://cygwin.com/key/pubring.asc -O ${DESTINATION}/pubring.asc > > if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ] > then > gpg --import ${DESTINATION}/pubring.asc > fi > > echo "testing ${DESTINATION}/setup-x86.exe" > gpg --verify ${DESTINATION}/setup-x86.exe.sig ${DESTINATION}/setup-x86.exe > if [ ${?} -gt 0 ] > then > mv ${DESTINATION}/setup-x86.exe ${DESTINATION}/setup-x86.exe.DONT_USE-BAD_SIGNATURE > fi > > echo "testing ${DESTINATION}/setup-x86_64.exe" > gpg --verify ${DESTINATION}/setup-x86_64.exe.sig ${DESTINATION}/setup-x86_64.exe > if [ ${?} -gt 0 ] > then > mv ${DESTINATION}/setup-x86_64.exe ${DESTINATION}/setup-x86_64.exe.DONT_USE-BAD_SIGNATURE > fi ### > Here is the output: > testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe > gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA > gpg: BAD signature from "Cygwin <cygwin@cygwin.com>" > > testing /tftpboot/PXE/mirrors/cygwin//setup-x86_64.exe > gpg: Signature made Fri 09 Sep 2016 02:20:05 AM PDT using DSA key ID 676041BA > gpg: Good signature from "Cygwin <cygwin@cygwin.com>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA IIRC to suppress BAD and WARNING (it's been a while since I did this) you install gnupg package, then generate your own key: [following edited to obscure local details; I edited the details using the example provided in gpg; skip this step if you have already done it with your own details] $ gpg --gen-key gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: directory `~/.gnupg' created gpg: new configuration file `~/.gnupg/gpg.conf' created gpg: WARNING: options in `~/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `~/.gnupg/secring.gpg' created gpg: keyring `~/.gnupg/pubring.gpg' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2y Key expires at Fri 28 Sep 2018 09:17:14 PM GMT Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Heinrich Heine Email address: heinrichh@duesseldorf.de Comment: Der Dichter You selected this USER-ID: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. [*open another terminal and run "find / >& /dev/null &"; then do a Windows File Explorer search for e; browse the web and wave the mouse around; type junk into other windows; until the following messages stop appearing: may take a few minutes unless your system is running background work*] Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 264 more bytes) ............+++++ ....+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 86 more bytes) .....+++++ Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 128 more bytes) ............+++++ gpg: ~/.gnupg/trustdb.gpg: trustdb created gpg: key FFFFFFFF marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2018-09-29 pub 2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29] Key fingerprint = FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF uid Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de> sub 2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29] $ gpg --list-keys ~/.gnupg/pubring.gpg ---------------------------- pub 2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29] uid Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de> sub 2048R/FFFFFFFF 2016-09-29 [expires: 2018-09-29] $ Only then can you add the Cygwin key to your key ring: $ gpg --keyserver keys.gnupg.net --recv-keys 676041BA then make it good by running: $ gpg --keyserver keys.gnupg.net --edit-key 676041BA gpg (GnuPG) 1.4.21; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 1024D/676041BA created: 2008-06-13 expires: never usage: SC sub 1024g/A1DB7B5C created: 2008-06-13 expires: never usage: E (1). Cygwin <cygwin@cygwin.com> gpg> trust pub 1024D/676041BA created: 2008-06-13 expires: never usage: SC sub 1024g/A1DB7B5C created: 2008-06-13 expires: never usage: E (1). Cygwin <cygwin@cygwin.com> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 [or maybe 4?] gpg> q $ Now your gpg --verify should succeed with a good key. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" 2016-09-29 0:05 ` Thomas Sanders 2016-09-29 5:40 ` Brian Inglis @ 2016-09-29 18:41 ` Achim Gratz 1 sibling, 0 replies; 8+ messages in thread From: Achim Gratz @ 2016-09-29 18:41 UTC (permalink / raw) To: cygwin Thomas Sanders writes: > Thanks for the reply, here is the actual script. I must have copy/pasted the wrong info previously. > ### > wget -q http://cygwin.com/setup-x86.exe -O ${DESTINATION}/setup-x86.exe > wget -q http://cygwin.com/setup-x86.exe.sig -O ${DESTINATION}/setup-x86.exe.sig > wget -q http://cygwin.com/setup-x86_64.exe -O ${DESTINATION}/setup-x86_64.exe > wget -q http://cygwin.com/setup-x86_64.exe.sig -O ${DESTINATION}/setup-x86_64.exe.sig > wget -q http://cygwin.com/key/pubring.asc -O ${DESTINATION}/pubring.asc For checking the signatures to be of any real use, you'd need to use https at least. Also, you'd need to establish the provenance of the key independently. > testing /tftpboot/PXE/mirrors/cygwin//setup-x86.exe > gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID 676041BA > gpg: BAD signature from "Cygwin <cygwin@cygwin.com>" BLODA, most likely. Particularly some stupid heuristic scanner that thinks that UPX compressed binaries are dangerous just because they use compression. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Wavetables for the Terratec KOMPLEXER: http://Synth.Stromeko.net/Downloads.html#KomplexerWaves -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2016-09-29 18:40 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-09-28 21:06 URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>" Thomas Sanders 2016-09-28 21:11 ` Wayne Porter 2016-09-29 2:29 ` Herbert Stocker 2016-09-29 18:40 ` Lee 2016-09-28 21:20 ` Andrey Repin 2016-09-29 0:05 ` Thomas Sanders 2016-09-29 5:40 ` Brian Inglis 2016-09-29 18:41 ` Achim Gratz
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).