From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 17062 invoked by alias); 29 Sep 2016 17:24:39 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 17054 invoked by uid 89); 29 Sep 2016 17:24:38 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.7 required=5.0 tests=AWL,BAYES_20,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=Herbert, Stocker, stocker, H*f:sk:57EC76B X-HELO: mail-it0-f41.google.com Received: from mail-it0-f41.google.com (HELO mail-it0-f41.google.com) (209.85.214.41) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 29 Sep 2016 17:24:28 +0000 Received: by mail-it0-f41.google.com with SMTP id n143so95410937ita.1 for ; Thu, 29 Sep 2016 10:24:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=psI5D/VDaROqIwWzJqWsFUCbol6d09/vSp98umEAdMs=; b=T9ft1bPRZJz+oaFuDnEtyUURqdYBY9+zv2tbK2ae1xBU2aB6Ae33g3jg7jd5GHAenQ u+3r+HKWgBDtxYr5rlkvL5l8mU05M0CIZgAhTgtYObFS3D0cV/PV9J/Fa27EgC2vAs7X PLAIU/hiebx50LLdQKlxixPE68a71L0rqw3C9W/7h413xR6FoS0ebpzElcWp3qVnsPtI ImJm3Z8fwKW2imR9rzOYGXt+ZIWLrj2ssVlZX1qR8D2jQK7A9moKYA+td93RZBBnjjT4 qnSJeIKIzFAIJmh4A7GwkcHhXzhuYqiOPMN7TrQ0FBsHjMaaYpZycCL0EQ9AGJU2tfgB J5hg== X-Gm-Message-State: AA6/9RmTBP4N/M2Nm/cqST11QeG08abC3ndjA/E0Jz8QfpeQvBy1DpBrEnNngyxC3SQ8qfQSjp8cECBwUU8Qig== X-Received: by 10.36.36.15 with SMTP id f15mr4160814ita.43.1475169866543; Thu, 29 Sep 2016 10:24:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.27.16 with HTTP; Thu, 29 Sep 2016 10:24:25 -0700 (PDT) In-Reply-To: <57EC76BB.9050503@gmx.de> References: <20160928210553.GA12532@hdmetxxxx33004g.AD.UCSD.EDU> <57EC76BB.9050503@gmx.de> From: Lee Date: Thu, 29 Sep 2016 18:40:00 -0000 Message-ID: Subject: Re: URGENT: BAD signature from "Cygwin " To: cygwin@cygwin.com Content-Type: text/plain; charset=UTF-8 X-IsSubscribed: yes X-SW-Source: 2016-09/txt/msg00393.txt.bz2 On 9/28/16, Herbert Stocker wrote: > Hi, > > On 28.09.2016 23:05, Wayne Porter wrote: >> On Wed, Sep 28, 2016 at 07:52:05PM +0000, Thomas Sanders wrote: >>> gpg --verify setup-x86.exe.sig setup-x86.exe >>> gpg: Signature made Fri 09 Sep 2016 02:20:02 AM PDT using DSA key ID >>> 676041BA >>> gpg: Good signature from "Cygwin " >>> gpg: WARNING: This key is not certified with a trusted signature! >>> gpg: There is no indication that the signature belongs to the >>> owner. >>> Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 >>> 41BA >> >> This appears to be a good signature, just that the key is untrusted. >> Someone >> else correct me if I'm wrong, but that is typical to see, at least for >> me. > > But doesn't it mean that anybody who manages to hack into your web > server, or who does a man in the middle attack on the HTTP (without S) > connection, is able to replace the setup-x86.exe by a malicious one > and to also provide a corresponding setup-x86.exe.sig, so that the gpg > output will be "good signature but untrusted key"? Only if you don't already have a cygwin@cygwin.com key saved: if [ $(gpg --list-keys | grep -c 'cygwin@cygwin.com') != 1 ] then gpg --import ${DESTINATION}/pubring.asc fi altho checking for exactly one instance instead of an instance seems doubtful. On the other hand, I didn't even know setupXXX.exe was signed so I haven't been checking at all :( It'd be nice if someone could add a signature + public key link on the front page instead of having to click thru the "fresh install" or "update" link to find out there's signatures available. Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple