On 30/12/2021 21:24, Greg Williamson wrote:
> Hello,
>
> While attempting to verify the installer found here:
> https://cygwin.com/install.html
>
> GPG verification for "setup-x86_64.exe" failed with "BAD signature from
> "Cygwin <cygwin@cygwin.com>". I also created a SHA512 hash of the 
> installer
> and it did not match the one posted here:
> https://cygwin.com/sha512.sum
>
> As a sanity check I attempted to verify the 32bit version "setup-x86.exe".
> The SHA512 matched and the GPG signature verification succeeded.
>
> I thought I'd report here in case there was a security issue. Thank you in
> advance for your assistance!
>
> ~Greg
>
This is concerning. I recently re-installed Cygwin so I'm glad I marked 
my packages as test. I hope those weren't compromised installers, though 
hopefully my antivirus would have stopped anything nefarious.

Hamish