Adding an embedded signature on setup-x86_64.exe

Adding an embedded signature on setup-x86_64.exe

[Dale McCoy]

[-- Attachment #1: Type: text/plain, Size: 551 bytes --]

I use Cygwin in the course of work, and while I can use the external gpg
signature to verify the validity of setup-x86_64.exe, my IT department
can't see that step. They get somewhat concerned when they see that Windows
thinks setup-x86_64.exe is unsigned, and I certainly don't blame them.
Can I convince you to also embed a signature in the installer, so Windows
recognizes the file is signed?

I couldn't find a previous request on the mailing list for this, but I may
have missed it in my attempts to grep the monthly digests.

Thanks,
Dale McCoy

Re: Adding an embedded signature on setup-x86_64.exe

[Brian Inglis]

On Fri Nov 18 21:15:04 GMT 2022, Dale McCoy wrote:
> I use Cygwin in the course of work, and while I can use the external gpg
> signature to verify the validity of setup-x86_64.exe, my IT department
> can't see that step. They get somewhat concerned when they see that Windows
> thinks setup-x86_64.exe is unsigned, and I certainly don't blame them.
> Can I convince you to also embed a signature in the installer, so Windows
> recognizes the file is signed?
> I couldn't find a previous request on the mailing list for this, but I may
> have missed it in my attempts to grep the monthly digests.

See thread "Should cygwin's setup*.exe be signed using Sign Tool?":

	https://cygwin.com/pipermail/cygwin/2015-April/220978.html
https://inbox.sourceware.org/cygwin/E1Ydjc5-0000kv-WD@rmm6prod02.runbox.com/

In case we ever need it, one of our setup maintainers packaged osslsigncode:

	https://cygwin.com/packages/summary/osslsigncode-src.html

-- 
Take care. Thanks, Brian Inglis			Calgary, Alberta, Canada

La perfection est atteinte			Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter	not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer	but when there is no more to cut
			-- Antoine de Saint-Exupéry

Re: Adding an embedded signature on setup-x86_64.exe

[Thomas Wolff]

Am 20.11.2022 um 08:26 schrieb Brian Inglis:
> On Fri Nov 18 21:15:04 GMT 2022, Dale McCoy wrote:
>> I use Cygwin in the course of work, and while I can use the external gpg
>> signature to verify the validity of setup-x86_64.exe, my IT department
>> can't see that step. They get somewhat concerned when they see that 
>> Windows
>> thinks setup-x86_64.exe is unsigned, and I certainly don't blame them.
>> Can I convince you to also embed a signature in the installer, so 
>> Windows
>> recognizes the file is signed?
>> I couldn't find a previous request on the mailing list for this, but 
>> I may
>> have missed it in my attempts to grep the monthly digests.
>
> See thread "Should cygwin's setup*.exe be signed using Sign Tool?":
>
>     https://cygwin.com/pipermail/cygwin/2015-April/220978.html
> https://inbox.sourceware.org/cygwin/E1Ydjc5-0000kv-WD@rmm6prod02.runbox.com/ 
>
>
> In case we ever need it, one of our setup maintainers packaged 
> osslsigncode:
>
>     https://cygwin.com/packages/summary/osslsigncode-src.html
>
Packaging error: the binary is placed in /usr

Re: Adding an embedded signature on setup-x86_64.exe

[Jon Turney]

On 18/11/2022 21:15, Dale McCoy wrote:
> I use Cygwin in the course of work, and while I can use the external gpg
> signature to verify the validity of setup-x86_64.exe, my IT department
> can't see that step. They get somewhat concerned when they see that Windows
> thinks setup-x86_64.exe is unsigned, and I certainly don't blame them.
> Can I convince you to also embed a signature in the installer, so Windows
> recognizes the file is signed?

This something I'd like to do, but unfortunately, the remaining blocking 
issues are not technical.

In order to sign the code in this way, the key needs to be signed by a 
CA that participates in Microsoft Trusted Root Program.  These CAs 
charge an annual fee. As the person who makes the setup releases, I'm 
not going to pay that out of my own pocket, and we currently have no 
organization to collect donations for that (or any other) purpose.

Re: Adding an embedded signature on setup-x86_64.exe

[Jon Turney]

On 20/11/2022 08:46, Thomas Wolff wrote:
>> In case we ever need it, one of our setup maintainers packaged 
>> osslsigncode:
>>
>>     https://cygwin.com/packages/summary/osslsigncode-src.html
>>
> Packaging error: the binary is placed in /usr

Thanks for pointing this out.

It seems this was an upstream defect in the cmake conversion they did 
for this version.  I applied the upstream patch to correct it.

Re: Adding an embedded signature on setup-x86_64.exe

[Brian Inglis]

On Sun, 20 Nov 2022 17:17:18 +0000, Jon Turney wrote:
> On 18/11/2022 21:15, Dale McCoy wrote:
>> I use Cygwin in the course of work, and while I can use the external gpg
>> signature to verify the validity of setup-x86_64.exe, my IT department
>> can't see that step. They get somewhat concerned when they see that Windows
>> thinks setup-x86_64.exe is unsigned, and I certainly don't blame them.
>> Can I convince you to also embed a signature in the installer, so Windows
>> recognizes the file is signed?

> This something I'd like to do, but unfortunately, the remaining blocking 
> issues are not technical.
> 
> In order to sign the code in this way, the key needs to be signed by a 
> CA that participates in Microsoft Trusted Root Program.  These CAs 
> charge an annual fee. As the person who makes the setup releases, I'm 
> not going to pay that out of my own pocket, and we currently have no 
> organization to collect donations for that (or any other) purpose.

If Cygwin becomes an SFC member, they may be able to fund Cygwin signing certs.

-- 
Take care. Thanks, Brian Inglis			Calgary, Alberta, Canada

La perfection est atteinte			Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter	not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer	but when there is no more to cut
			-- Antoine de Saint-Exupéry

Re: Adding an embedded signature on setup-x86_64.exe

[Corinna Vinschen]

On Nov 20 13:45, Brian Inglis wrote:
> On Sun, 20 Nov 2022 17:17:18 +0000, Jon Turney wrote:
> > On 18/11/2022 21:15, Dale McCoy wrote:
> > > I use Cygwin in the course of work, and while I can use the external gpg
> > > signature to verify the validity of setup-x86_64.exe, my IT department
> > > can't see that step. They get somewhat concerned when they see that Windows
> > > thinks setup-x86_64.exe is unsigned, and I certainly don't blame them.
> > > Can I convince you to also embed a signature in the installer, so Windows
> > > recognizes the file is signed?
> 
> > This something I'd like to do, but unfortunately, the remaining blocking
> > issues are not technical.
> > 
> > In order to sign the code in this way, the key needs to be signed by a
> > CA that participates in Microsoft Trusted Root Program.  These CAs
> > charge an annual fee. As the person who makes the setup releases, I'm
> > not going to pay that out of my own pocket, and we currently have no
> > organization to collect donations for that (or any other) purpose.
> 
> If Cygwin becomes an SFC member, they may be able to fund Cygwin signing certs.

Good point!


Corinna

Re: Adding an embedded signature on setup-x86_64.exe

[Jon Turney]

On 20/11/2022 08:46, Thomas Wolff wrote:
>> In case we ever need it, one of our setup maintainers packaged 
>> osslsigncode:
>>
>>     https://cygwin.com/packages/summary/osslsigncode-src.html
>>
> Packaging error: the binary is placed in /usr

Thanks for pointing this out.

It seems this was an upstream defect in the cmake conversion they did in 
this version.  I applied the upstream patch to correct it.