From: Lee <ler762@gmail.com>
To: cygwin@cygwin.com
Subject: Re: URGENT: BAD signature from "Cygwin <cygwin@cygwin.com>"
Date: Thu, 29 Sep 2016 18:40:00 -0000 [thread overview]
Message-ID: <CAD8GWstWDWRxdMvPoEqg12Wrku4Ac=S=_Aq7Z3UZC1FFGBvG7w@mail.gmail.com> (raw)
In-Reply-To: <57EC76BB.9050503@gmx.de>
On 9/28/16, Herbert Stocker wrote:
> Hi,
>
> On 28.09.2016 23:05, Wayne Porter wrote:
>> On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote:
>>> gpg --verify setup-x86.exe.sig setup-x86.exe
>>> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID
>>> 676041BA
>>> gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg: There is no indication that the signature belongs to the
>>> owner.
>>> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760
>>> 41BA
>>
>> This appears to be a good signature, just that the key is untrusted.
>> Someone
>> else correct me if I'm wrong, but that is typical to see, at least for
>> me.
>
> But doesn't it mean that anybody who manages to hack into your web
> server, or who does a man in the middle attack on the HTTP (without S)
> connection, is able to replace the setup-x86.exe by a malicious one
> and to also provide a corresponding setup-x86.exe.sig, so that the gpg
> output will be "good signature but untrusted key"?
Only if you don't already have a cygwin@cygwin.com key saved:
if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ]
then
gpg --import ${DESTINATION}/pubring.asc
fi
altho checking for exactly one instance instead of an instance seems doubtful.
On the other hand, I didn't even know setupXXX.exe was signed so I
haven't been checking at all :(
It'd be nice if someone could add a signature + public key link on the
front page instead of having to click thru the "fresh install" or
"update" link to find out there's signatures available.
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2016-09-29 17:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-28 21:06 Thomas Sanders
2016-09-28 21:11 ` Wayne Porter
2016-09-29 2:29 ` Herbert Stocker
2016-09-29 18:40 ` Lee [this message]
2016-09-28 21:20 ` Andrey Repin
2016-09-29 0:05 ` Thomas Sanders
2016-09-29 5:40 ` Brian Inglis
2016-09-29 18:41 ` Achim Gratz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAD8GWstWDWRxdMvPoEqg12Wrku4Ac=S=_Aq7Z3UZC1FFGBvG7w@mail.gmail.com' \
--to=ler762@gmail.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).