public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed
* RE: PGP signatures for packages?
@ 2002-05-17  0:16 Robert Collins
  0 siblings, 0 replies; 16+ messages in thread
From: Robert Collins @ 2002-05-17  0:16 UTC (permalink / raw)
  To: cygwin



> -----Original Message-----
> From: Christopher Faylor [mailto:cgf-cygwin@cygwin.com] 
> Sent: Friday, May 17, 2002 1:43 PM

> >I saw a note back in December
> >(http://sources.redhat.com/ml/cygwin/2001-12/msg00950.html)
> >that touched on this, but I couldn't find any followup.  Did this 
> >wither on the vine?
> 
> No.  It's actually part of the current setup.exe.

A minor errata: The HEAD cvs tag has it. The current setup.exe just
silently ignores the data from the ini file.
 
Rob

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: PGP signatures for packages?
  2002-05-16 23:07 ` Charles Wilson
  2002-05-17  0:28   ` Michael Young
@ 2003-05-17 22:18   ` Lapo Luchini
  1 sibling, 0 replies; 16+ messages in thread
From: Lapo Luchini @ 2003-05-17 22:18 UTC (permalink / raw)
  To: CygWin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[reply to old message avaible online
<http://sources.redhat.com/ml/cygwin/2002-05/msg01065.html>]

Charles Wilson wrote, exactly one year ago, in the old message
<http://sources.redhat.com/ml/cygwin/2002-05/msg01065.html>:

 > 2) GPG signing/verification waiting on two things (three, actually):
 >   a) official cygwin package(s) for GPG and its libraries
 >   b) a mingw port of the GPG libraries
 >   c) hooks added to setup.exe to use the mingw-GPGlib.

(a) is long done (thanks Volker!!!).
(b) shouldn't be difficult as mingw is now one of the supported OSes
directly on gnupg.org
(c) is Robert's realm, and I'd gladly help if help is needed (but, hey, I
should first find the time to solve the last problems of the rsync port
first... guild is assaulting me...)

Ok ok, I know I know... I'm quite a crypto-freak... yeah...
(I couldn't live without it
<http://www.thinkgeek.com/tshirts/coder/57ee/>)

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 - not licensed for commercial use: www.pgp.com

iQA/AwUBPsacFmiYgizI8lL7EQLzwgCg4q1ChIGPYSqfv1GQ3pqOUjLFUSYAoJ1t
YMFDsXMiNSKlnvQ0SMDWD950
=w7G9
-----END PGP SIGNATURE-----

-- 
Lapo 'Raist' Luchini
lapo@lapo.it (PGP & X.509 keys available)
http://www.lapo.it (ICQ UIN: 529796)



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* RE: PGP signatures for packages?
@ 2002-05-18 14:08 Robert Collins
  0 siblings, 0 replies; 16+ messages in thread
From: Robert Collins @ 2002-05-18 14:08 UTC (permalink / raw)
  To: Michael Young, cygwin



> -----Original Message-----
> From: Michael Young [mailto:mwy-ltua@the-youngs.org] 
> Sent: Saturday, May 18, 2002 1:35 PM
> To: Robert Collins; cygwin@cygwin.com
> Subject: Re: PGP signatures for packages?
> 
> 
> > And adding GPG as a package should be easy. There is 
> already vounteer 
> > binary downloads 'out there'. You just need to merge tehir build 
> > recipe and patchs and the volunteer maintainer instructions.
> 
> My understanding is that the official Windows binaries for 
> GnuPG are built on Linux using a cross-compiler.  I don't 
> suppose that's a legitimate approach for an official Cygwin 
> package, though, is it? I'll look at what it will take to do 
> a native configure/compile.

http://www.google.com/search?hl=en&ie=UTF8&oe=UTF8&q=GPG+cygwin
http://disastry.dhs.org/pgp/gpg.htm

Rob 

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: PGP signatures for packages?
  2002-05-18  5:42   ` Charles Wilson
@ 2002-05-18 12:53     ` Lapo Luchini
  0 siblings, 0 replies; 16+ messages in thread
From: Lapo Luchini @ 2002-05-18 12:53 UTC (permalink / raw)
  To: CygWin

> We need a cygwin build -- perhaps built using a cygwin-targetted cross 
> compiler on linux-host, but definitely not using a 
> native-mswindows(mingw) targetted cross compiler on any host platform. 

This ML message says it is not "so easy" to compile latest version for 
Cygwin: http://lists.gnupg.org/pipermail/gnupg-users/2002-May/012886.html
But there are patches around for gnupg-1.0.6 (latest is 1.0.7) for 
cygwin-1.3.2, I'll investigate more on this as I would like to package 
it for cygwin.

> 1  cygwin      cygwin         "self-hosted cygwin build"

Meaning this type of compiling ;)

BTW: Charles could you please reply me to the CVS messages? Even a "I 
don't know/I'm working on it/No time to write a good reply/Dunno" would 
be good, just to know you read them ^_^

-- 
Lapo 'Raist' Luchini
lapo@lapo.it (PGP & X.509 keys available)
http://www.lapo.it (ICQ UIN: 529796)




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: PGP signatures for packages?
  2002-05-18  1:40 ` Michael Young
@ 2002-05-18  5:42   ` Charles Wilson
  2002-05-18 12:53     ` Lapo Luchini
  0 siblings, 1 reply; 16+ messages in thread
From: Charles Wilson @ 2002-05-18  5:42 UTC (permalink / raw)
  To: cygwin

Michael Young wrote:

>>And adding GPG as a package should be easy. There is already vounteer
>>binary downloads 'out there'. You just need to merge tehir build recipe
>>and patchs and the volunteer maintainer instructions.
>>
> 
> My understanding is that the official Windows binaries for GnuPG are
> built on Linux using a cross-compiler.  I don't suppose that's a
> legitimate approach for an official Cygwin package, though, is it?


No.  "official windows binaries" typically use the msvcrt.dll runtime, 
not cygwin1.dll.  Which means they don't understand cygwin's filename 
structure or mount points, making them awkward to use within the cygwin 
environment.

We need a cygwin build -- perhaps built using a cygwin-targetted cross 
compiler on linux-host, but definitely not using a 
native-mswindows(mingw) targetted cross compiler on any host platform.


> I'll look at what it will take to do a native configure/compile.


Errmmmm...in this context, 'native' is usually taken to mean "native 
microsoft" -- e.g. msvcrt.dll-runtime-based -- not cygwin-based.

---------------
Now that I've thoroughly confused everyone, let's clear up the mess:

    host        target         typical name
1  cygwin      cygwin         "self-hosted cygwin build"
2  linux       cygwin         "linux hosted cygwin target cross compile"
3  linux       mingw? native? "linux hosted native windows target"
                               "linux host, mingw target cross compile"
4  mingw/native?  mingw/native?  "self hosted mingw (or "native") build"

1) is good.  2) is good.  3) is bad.  4) is bad.

As Robert said, there are **cygwin** ports of GPG 'out there' -- search 
the mailing list archives for postings (I recall someone mentioning it 
along with mutt or pine in a recent email...)

--Chuck




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: PGP signatures for packages?
  2002-05-17 20:19 Robert Collins
@ 2002-05-18  1:40 ` Michael Young
  2002-05-18  5:42   ` Charles Wilson
  0 siblings, 1 reply; 16+ messages in thread
From: Michael Young @ 2002-05-18  1:40 UTC (permalink / raw)
  To: Robert Collins, cygwin

> And adding GPG as a package should be easy. There is already vounteer
> binary downloads 'out there'. You just need to merge tehir build recipe
> and patchs and the volunteer maintainer instructions.

My understanding is that the official Windows binaries for GnuPG are
built on Linux using a cross-compiler.  I don't suppose that's a
legitimate approach for an official Cygwin package, though, is it?
I'll look at what it will take to do a native configure/compile.



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* RE: PGP signatures for packages?
@ 2002-05-17 20:19 Robert Collins
  2002-05-18  1:40 ` Michael Young
  0 siblings, 1 reply; 16+ messages in thread
From: Robert Collins @ 2002-05-17 20:19 UTC (permalink / raw)
  To: Michael Young, cygwin



> -----Original Message-----
> From: Michael Young [mailto:mwy-ltua@the-youngs.org] 
> Sent: Saturday, May 18, 2002 1:19 AM

 
> Would you be willing to provide the binary over HTTPS?
> It looks like Apache with mod_ssl is built for Cygwin.

This one I have no input on. Well I can voice an opinion, and that's
about that.

Here's my opinion: You won't gain anything significant by using SSL to
grab setup.exe. Setup.exe is already mirrored out to multiple sites. 

And adding GPG as a package should be easy. There is already vounteer
binary downloads 'out there'. You just need to merge tehir build recipe
and patchs and the volunteer maintainer instructions.

Rob

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: PGP signatures for packages?
  2002-05-17  2:19 ` Cliff Hones
@ 2002-05-17 10:30   ` Charles Wilson
  0 siblings, 0 replies; 16+ messages in thread
From: Charles Wilson @ 2002-05-17 10:30 UTC (permalink / raw)
  To: Cliff Hones; +Cc: cygwin

Cliff Hones wrote:

> [Etymology - moot is an old word meaning meeting place, typically
> for an assembly or court.]
>

Hurrah for the Entmoot!

--Chuck



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: PGP signatures for packages?
  2002-05-17  0:51 Robert Collins
  2002-05-17  2:19 ` Cliff Hones
@ 2002-05-17 10:25 ` Michael Young
  1 sibling, 0 replies; 16+ messages in thread
From: Michael Young @ 2002-05-17 10:25 UTC (permalink / raw)
  To: cygwin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>That's it. But without that I will not sign setup.exe. Just like I
> > didn't compress it until UPX became a package :].

OK.  I was hoping that you might treat this as a post-build
distribution step, and might allow the use of non-Cygwin tools
(much the way a developer might use a non-Cygwin text editor
prior to building).  Nobody else should be attempting to
reproduce this result (that is, sign with *your* key).
But I admire your self-hosting philosophy, so I'll leave it at that.

Would you be willing to provide the binary over HTTPS?
It looks like Apache with mod_ssl is built for Cygwin.

Thanks again!

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBPOUfQlMkvpTT8vCGEQKiewCfdYpp3s780bFZsXaSYsXNt/1cOnwAn3sd
mh3myzhL6PwUFvCnotlq9NWj
=NAk0
-----END PGP SIGNATURE-----



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* RE: PGP signatures for packages?
@ 2002-05-17  2:23 Robert Collins
  0 siblings, 0 replies; 16+ messages in thread
From: Robert Collins @ 2002-05-17  2:23 UTC (permalink / raw)
  To: Cliff Hones, cygwin



> -----Original Message-----
> From: Cliff Hones [mailto:cliff@aonix.co.uk] 
> Sent: Friday, May 17, 2002 5:28 PM
> To: cygwin@cygwin.com; Robert Collins
> Subject: Re: PGP signatures for packages?
> 
> 
> Robert Collins <robert.collins@itdomain.com.au> wrote:
> > ...
> > Until that is done, conversation on this is moot.
> > ...
> 
> 'moot' is one of those words which doesn't travel well.
> In UK English, it means "undecided" or "debatable", so a
> moot point is one which hasn't been settled, and is open
> to discussion.
> 
> I believe in common US English it means "out of order" - ie 
> closed to discussion (at least for the moment).
> 
> What a wonderful language we use.
> 
> What does it mean in Australian English, Robert?

I'm not sure. Both the US and UK meanings are relevant for my statement
though :}. I'll leave you to wonder whether that was intentional.

Rob

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: PGP signatures for packages?
  2002-05-17  0:51 Robert Collins
@ 2002-05-17  2:19 ` Cliff Hones
  2002-05-17 10:30   ` Charles Wilson
  2002-05-17 10:25 ` Michael Young
  1 sibling, 1 reply; 16+ messages in thread
From: Cliff Hones @ 2002-05-17  2:19 UTC (permalink / raw)
  To: cygwin, Robert Collins

Robert Collins <robert.collins@itdomain.com.au> wrote:
> ...
> Until that is done, conversation on this is moot.
> ...

'moot' is one of those words which doesn't travel well.
In UK English, it means "undecided" or "debatable", so a
moot point is one which hasn't been settled, and is open
to discussion.

I believe in common US English it means "out of order" - ie
closed to discussion (at least for the moment).

What a wonderful language we use.

What does it mean in Australian English, Robert?

[Etymology - moot is an old word meaning meeting place, typically
for an assembly or court.]

I know this is partially OT, apart from settling Robert's
meaning; I'm not trying to start a language debate!

-- Cliff



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* RE: PGP signatures for packages?
@ 2002-05-17  0:51 Robert Collins
  2002-05-17  2:19 ` Cliff Hones
  2002-05-17 10:25 ` Michael Young
  0 siblings, 2 replies; 16+ messages in thread
From: Robert Collins @ 2002-05-17  0:51 UTC (permalink / raw)
  To: Michael Young, cygwin



> -----Original Message-----
> From: Michael Young [mailto:mwy-ltua@the-youngs.org] 
> Sent: Friday, May 17, 2002 3:27 PM
> 

> So, how would the Cygwin team feel about GPG-signing just these
> two files?

I'm the setup.exe maintainer. Here's what I need before I will sign
setup.exe. (More on setup.ini later).

I need:
* A cygwin package, maintained by someone-that-is-not-me of GPG that is
compatible with my unix GPG (I know that should go without saying)
keyring.

That's it. But without that I will not sign setup.exe. Just like I
didn't compress it until UPX became a package :].

See http://www.cygwin.com/setup.html for information on contributing
GPG.

Until that is done, conversation on this is moot.

I would BTW, sign it with a separate file. There may also be
logicistical issues with upset getting the version number out of the upx
compressed fiel, but I think I have a solution to that that will work
for Chris.

As for setup.ini:

Signing of setup.ini is, IMO, meaningless at this point in time.
setup.ini, like the debian Packages or Releases or whatever the archive
is called, is a federated system. You can download from as many mirrors
as you like in one session, and setup provides a homogenous view of the
result. In short, an unsigned setup.ini can alter the data you see from
a signed setup.ini. Per-package signing would be the way to go. Also, as
setup.ini is dynamically generated, we would have a serious key
management issue in attempting to have setup.ini signed. Per package
signing allows the key management to be federated as well - to each
maintainer - and thus would not cause the same headache as signing
setup.ini.

Cheers,
Rob

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: PGP signatures for packages?
  2002-05-16 23:07 ` Charles Wilson
@ 2002-05-17  0:28   ` Michael Young
  2003-05-17 22:18   ` Lapo Luchini
  1 sibling, 0 replies; 16+ messages in thread
From: Michael Young @ 2002-05-17  0:28 UTC (permalink / raw)
  To: cygwin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From: "Charles Wilson" <cwilson@ece.gatech.edu>
> Currently, setup.ini contains md5 hashes for each tarball.  The released 
> version of setup.exe successfully ignores those md5's, but the HEAD will 

Doh! I should have noticed that.  That's great!

If the "setup.exe" and "setup.ini" files were signed, I could
complete the verification manually.

> "Wouldn't it be great if maintainers signed their packages with GPG?"

Yes and no (in reverse order below):

As a consumer of the collected binaries, I'd rather have signatures
from the Cygwin team (that is, whoever builds "setup.ini"), especially
if I'm going to do the verifications myself.  I don't know who the
legitimate developer(s) might be for each package.  That information
(e.g., the key fingerprints) would have to be included in the
"setup.ini" file for *either* automatic or manual verification.
(If the package owners aren't properly identified, through the
initialization file, key certifications, or the like, then anyone
could generate a key and sign a bogus version of a package.)  I'm
already trusting the provider of the "setup.exe" binary -- I'd rather
have everything signed by the one key of that provider.

Now, the Cygwin team might well benefit from individual maintainers
signing their packages.  This could make it to reliably pick up
source/binaries from the maintainers, and to build a legitimate
"setup.ini" file.  (As a consumer of the binaries, I might be comforted
knowing that such a process is in place, but ultimately, I'm trusting
whoever is putting it all together, not just the individual maintainers.)

> "Well, setup.exe would need to verify them"

Perhaps.  As I hinted above, if the "setup.ini" file itself is
signed, then the MD5 hashes are fine.

Even more importantly, I'd love to be able to verify the "setup.exe"
file.  If someone is able to compromise a mirror and install a
bogus "setup.exe", then all of this checking is for naught.

Since I need to verify "setup.exe" manually, I'd be quite willing to
verify one more file ("setup.ini").

Another means of protecting these two files would be to vend them
directly from "www.cygwin.com" over HTTPS.  I tried doing the
obvious URL transformation to retrieve "setup.exe", but that
failed.  (I also looked for an Authenticode signature on that
binary, but that wouldn't work for the data file, and I can
understand why this wouldn't be a popular approach in the GNU
community :-).  HTTPS is even more end-user-friendly, but
GPG signatures are cheaper (and may even be safer if the private
keys are kept offline).

So, how would the Cygwin team feel about GPG-signing just these
two files?

Thanks for your consideration (and for the quick response to my
first query).



-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBPOSUhFMkvpTT8vCGEQJeVQCeKnNB2H77vTYxn/e6mk8wRd1UsXgAoIKj
eA2NI+JgiWY1PReGYUymBBH7
=7nCA
-----END PGP SIGNATURE-----



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: PGP signatures for packages?
  2002-05-16 21:44 Michael Young
  2002-05-16 22:30 ` Christopher Faylor
@ 2002-05-16 23:07 ` Charles Wilson
  2002-05-17  0:28   ` Michael Young
  2003-05-17 22:18   ` Lapo Luchini
  1 sibling, 2 replies; 16+ messages in thread
From: Charles Wilson @ 2002-05-16 23:07 UTC (permalink / raw)
  To: Michael Young; +Cc: cygwin

Michael Young wrote:
> Are signatures available for the setup program, or for the packages it
> downloads?
> RPM uses GPG signatures, but I can't find anything comparable for the Cygwin
> binaries.  Even just a list of hashes would be worthwhile (ideally vended from
> a secure Cygwin/Redhat web page) to verify that a mirror (or download) hasn't
> been corrupted.  Real PGP signatures would be better.  I can live without tool
> support -- I can do the verifications manually, but only if I can find the
> signatures :-).
> 
> I saw a note back in December
> (http://sources.redhat.com/ml/cygwin/2001-12/msg00950.html)
> that touched on this, but I couldn't find any followup.  Did this wither on the
> vine?

Currently, setup.ini contains md5 hashes for each tarball.  The released 
version of setup.exe successfully ignores those md5's, but the HEAD will 
verify the downloaded tarballs against the hash (this may not yet be 
working...)

There was another, more recent thread (somewhere, I can't find it) where 
the following idea was kicked around:

"Wouldn't it be great if maintainers signed their packages with GPG?"
"Well, setup.exe would need to verify them"
"So link against libgpg!"
"Two problems: #1) libpgp isn't part of the cygwin distribution yet, and 
#2) even if it was, we'd need a native (mingw) version, not a cygwin 
version, since setup.exe is a mingw program.  But we need, in addition, 
a cygwin version of the gpg tools, so that maintainers who build their 
cygwin packages on a cygwin host can do the signing..."

So:
1) md5 hash verification coming soon
2) GPG signing/verification waiting on two things (three, actually):
   a) official cygwin package(s) for GPG and its libraries
   b) a mingw port of the GPG libraries
   c) hooks added to setup.exe to use the mingw-GPGlib.

Any volunteers for (a) or (b)?

--Chuck


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: PGP signatures for packages?
  2002-05-16 21:44 Michael Young
@ 2002-05-16 22:30 ` Christopher Faylor
  2002-05-16 23:07 ` Charles Wilson
  1 sibling, 0 replies; 16+ messages in thread
From: Christopher Faylor @ 2002-05-16 22:30 UTC (permalink / raw)
  To: cygwin

On Thu, May 16, 2002 at 11:26:30PM -0400, Michael Young wrote:
>Are signatures available for the setup program, or for the packages it
>downloads?
>RPM uses GPG signatures, but I can't find anything comparable for the Cygwin
>binaries.  Even just a list of hashes would be worthwhile (ideally vended from
>a secure Cygwin/Redhat web page) to verify that a mirror (or download) hasn't
>been corrupted.  Real PGP signatures would be better.  I can live without tool
>support -- I can do the verifications manually, but only if I can find the
>signatures :-).
>
>I saw a note back in December
>(http://sources.redhat.com/ml/cygwin/2001-12/msg00950.html)
>that touched on this, but I couldn't find any followup.  Did this wither on the
>vine?

No.  It's actually part of the current setup.exe.

FWIW, md5sums in the download directories have been available for years.

cgf

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

* PGP signatures for packages?
@ 2002-05-16 21:44 Michael Young
  2002-05-16 22:30 ` Christopher Faylor
  2002-05-16 23:07 ` Charles Wilson
  0 siblings, 2 replies; 16+ messages in thread
From: Michael Young @ 2002-05-16 21:44 UTC (permalink / raw)
  To: cygwin

Are signatures available for the setup program, or for the packages it
downloads?
RPM uses GPG signatures, but I can't find anything comparable for the Cygwin
binaries.  Even just a list of hashes would be worthwhile (ideally vended from
a secure Cygwin/Redhat web page) to verify that a mirror (or download) hasn't
been corrupted.  Real PGP signatures would be better.  I can live without tool
support -- I can do the verifications manually, but only if I can find the
signatures :-).

I saw a note back in December
(http://sources.redhat.com/ml/cygwin/2001-12/msg00950.html)
that touched on this, but I couldn't find any followup.  Did this wither on the
vine?



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 16+ messages in thread

end of thread, other threads:[~2003-05-17 20:31 UTC | newest]

Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-05-17  0:16 PGP signatures for packages? Robert Collins
  -- strict thread matches above, loose matches on Subject: below --
2002-05-18 14:08 Robert Collins
2002-05-17 20:19 Robert Collins
2002-05-18  1:40 ` Michael Young
2002-05-18  5:42   ` Charles Wilson
2002-05-18 12:53     ` Lapo Luchini
2002-05-17  2:23 Robert Collins
2002-05-17  0:51 Robert Collins
2002-05-17  2:19 ` Cliff Hones
2002-05-17 10:30   ` Charles Wilson
2002-05-17 10:25 ` Michael Young
2002-05-16 21:44 Michael Young
2002-05-16 22:30 ` Christopher Faylor
2002-05-16 23:07 ` Charles Wilson
2002-05-17  0:28   ` Michael Young
2003-05-17 22:18   ` Lapo Luchini

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).